EUVD-2026-31600
GHSA-m37x-3837-x5f2
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was detected in Edimax BR-6675nD 1.12. This vulnerability affects the function formsetPPPoE of the file /goform/formsetPPPoE of the component POST Request Handler. Performing a manipulation of the argument pppUserName results in buffer overflow. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stack buffer overflow in the Edimax BR-6675nD 1.12 wireless router allows remote authenticated attackers to corrupt memory and achieve total compromise via a crafted pppUserName parameter sent to /goform/formsetPPPoE. Publicly available exploit code exists and the vendor did not respond to the disclosure, leaving deployed devices exposed without an official fix. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network reachability to the router's HTTP administration interface, which by default listens only on the LAN unless remote management has been enabled, (2) valid low-privilege web UI credentials per the CVSS PR:L designation - in practice typically the device admin account, often left at vendor defaults on this consumer model, and (3) the ability to send an authenticated POST to /goform/formsetPPPoE with an oversized pppUserName parameter to the formsetPPPoE handler. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) scores 7.4 and indicates network-reachable, low-complexity exploitation requiring low-privilege authentication - meaning a valid web UI session is needed, which on consumer routers is often the well-known default admin/admin credential pair. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has gained access to the router's web admin interface - for example a malicious user on the LAN, a guest Wi-Fi client who recovered the default admin password, or an attacker exploiting an exposed WAN-side admin panel - logs in and issues a POST to /goform/formsetPPPoE with an oversized pppUserName value. The overflow overwrites the saved return address in the formsetPPPoE handler and redirects execution to attacker-controlled shellcode, yielding code execution at the privilege level of the web server process (typically root on these embedded devices) and full device takeover suitable for traffic interception, DNS hijacking, or pivoting into the LAN. … |
| Remediation | No vendor-released patch identified at time of analysis, as the vendor did not respond to the VulDB disclosure attempt. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all Edimax BR-6675nD 1.12 routers in the environment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today