Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A weakness has been identified in Edimax BR-6428NS 1.10. This impacts the function system of the file /goform/formWlanM of the component POST Request Handler. Executing a manipulation of the argument ateFunc/ateGain/ateTxCount/ateChan/ateRate/ateMacID/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/ateTxFreqOffset/ateMode/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/e2pTxPwDeltaN/readE2P can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Command injection in Edimax BR-6428NS firmware version 1.10 exposes the device's operating system to remote command execution via the /goform/formWlanM POST request handler. An authenticated remote attacker (PR:L per CVSS) can manipulate any of 29+ wireless calibration and ATE parameters - including ateFunc, ateGain, e2pTxPower series, and readE2P - to inject arbitrary shell commands into the device OS. No vendor patch exists as Edimax did not respond to responsible disclosure; a publicly available exploit exists, and the breadth of vulnerable parameters indicates a systemic absence of input sanitization across the wlanM form handler.
Technical ContextAI
The affected endpoint /goform/formWlanM is a CGI-style POST handler embedded in the Edimax BR-6428NS SOHO router firmware (CPE: cpe:2.3:a:edimax:br-6428ns:*:*:*:*:*:*:*:*). The parameters at issue span two functional groups: ATE (Antenna Test Equipment) fields used for manufacturing RF calibration (ateFunc, ateGain, ateTxCount, ateChan, ateRate, ateMacID, ateTxFreqOffset, ateMode, ateBW, ateAntenna) and EEPROM calibration fields (e2pTxPower1-7, e2pTx2Power1-7, e2pTxFreqOffset, e2pTxPwDeltaB/G/Mix/N, readE2P). CWE-77 (Improper Neutralization of Special Elements Used in a Command) indicates that user-supplied POST parameter values are passed unsanitized to an internal shell command execution function - common in embedded Linux-based router firmware where shell scripts or system() calls process form inputs. The sheer number of injectable parameters (29+) suggests no sanitization layer exists at the handler level.
RemediationAI
No vendor-released patch identified at time of analysis - Edimax did not respond to the responsible disclosure attempt, leaving no official fix path. As immediate compensating controls: restrict access to the device's HTTP management interface (typically port 80) to trusted internal IP ranges only, blocking all external access at the network perimeter or upstream firewall; this eliminates the AV:N exposure without affecting normal device operation. If remote management is required, enforce VPN-gated access before the management interface is reachable, raising the effective authentication bar beyond the device's own credential check. Audit and change default credentials immediately, as default admin passwords on Edimax devices are widely documented and would satisfy the PR:L prerequisite in practice. Consider replacing the BR-6428NS with a currently supported device from a vendor with an active security response program - no mitigations fully compensate for an unpatched command injection with a public exploit. Vulnerability reference: https://vuldb.com/vuln/365243.
Stack buffer overflow in the Edimax BR-6428NS router (firmware 1.10) allows remote authenticated attackers to corrupt me
Stack buffer overflow in the Edimax BR-6428NS router firmware version 1.10 allows authenticated remote attackers to corr
Buffer overflow in the Edimax BR-6428NS 1.10 router's web management interface allows authenticated remote attackers to
Stack buffer overflow in the Edimax BR-6428NS 1.10 wireless router allows authenticated remote attackers to corrupt memo
Command injection in the Edimax BR-6428NS 1.10 wireless router's web management interface allows a remotely authenticate
Command injection in Edimax BR-6428NS firmware v1.10 allows authenticated remote attackers to execute arbitrary system c
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31531
GHSA-4cf7-8gr7-m2jf