Skip to main content

Edimax BR-6428NS CVE-2026-8777

| EUVDEUVD-2026-30719 LOW
Command Injection (CWE-77)
2026-05-18 VulDB GHSA-8vqm-j289-7f3g
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
May 18, 2026 - 02:22 NVD
MEDIUM LOW
CVSS changed
May 18, 2026 - 02:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 18, 2026 - 01:43 vuln.today

DescriptionCVE.org

A vulnerability was found in Edimax BR-6428NS 1.10. This issue affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. Performing a manipulation of the argument stadrv_ssid results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Command injection in Edimax BR-6428NS firmware v1.10 allows authenticated remote attackers to execute arbitrary system commands via the stadrv_ssid parameter in POST requests to /goform/formStaDrvSetup. Public exploit code is available (documented in VulDB and researcher's Notion page), enabling low-complexity attacks against networks where attackers have obtained low-privilege credentials. The vendor received early disclosure but provided no response, leaving no official patch timeline.

Technical ContextAI

This vulnerability targets the Edimax BR-6428NS wireless router's web management interface, specifically the formStaDrvSetup function handling POST requests to the /goform/formStaDrvSetup endpoint. The flaw is a classic command injection (CWE-77) where insufficient input validation on the stadrv_ssid parameter allows an attacker to inject shell metacharacters and execute arbitrary operating system commands with the privileges of the web server process. The affected CPE (cpe:2.3:a:edimax:br-6428ns:*:*:*:*:*:*:*:*) indicates firmware version 1.10 is confirmed vulnerable. Command injection vulnerabilities in embedded device web interfaces are particularly dangerous because they typically execute with root or elevated privileges in the device's Linux-based firmware.

RemediationAI

No vendor-released patch identified at time of analysis - Edimax did not respond to vulnerability disclosure. Immediate compensating controls: (1) Disable remote management access to the web interface entirely, restricting administration to local network only via router firewall rules (trade-off: eliminates remote admin capability). (2) Change default administrative credentials immediately and enforce strong passwords (minimum 16 characters, randomized) to raise the authentication barrier, though this only reduces risk rather than eliminating it. (3) Implement network segmentation placing the BR-6428NS on an isolated management VLAN with strict ACLs limiting which hosts can reach the management interface (trade-off: requires managed switch infrastructure and VLAN-capable network design). (4) Monitor device logs for unexpected POST requests to /goform/ endpoints and failed authentication attempts. Long-term recommendation: Replace the Edimax BR-6428NS with an actively maintained router from a vendor with established security response processes, as vendor silence suggests this product may be end-of-life with no future security support. See VulDB references at https://vuldb.com/vuln/364402 and researcher disclosure at https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6428NS-formStaDrvSetup-34b53a41781f80ca940cc467cd15dfc2.

Share

CVE-2026-8777 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy