Skip to main content

Edimax BR-6428NS EUVDEUVD-2026-31529

| CVE-2026-9294 HIGH
Classic Buffer Overflow (CWE-120)
2026-05-23 VulDB GHSA-w59p-45j6-4rch
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Re-analysis Queued
May 26, 2026 - 19:37 vuln.today
cvss_changed
CVSS changed
May 26, 2026 - 19:37 NVD
8.8 (HIGH) 7.4 (HIGH)
Analysis Generated
May 23, 2026 - 08:15 vuln.today

DescriptionCVE.org

A vulnerability was identified in Edimax BR-6428NS 1.10. The impacted element is the function formWanTcpipSetup of the file /goform/formWanTcpipSetup of the component POST Request Handler. Such manipulation of the argument pppUserName leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stack buffer overflow in the Edimax BR-6428NS 1.10 wireless router allows authenticated remote attackers to corrupt memory by sending an overlong pppUserName parameter to the /goform/formWanTcpipSetup endpoint. Publicly available exploit code exists, and the vendor failed to respond to the coordinated disclosure attempt, leaving devices without an official fix. With a CVSS of 8.8 and full CIA impact, successful exploitation can result in arbitrary code execution or device takeover on the embedded router.

Technical ContextAI

The Edimax BR-6428NS is a consumer-grade N150 wireless broadband router that exposes its administrative interface over HTTP through a series of 'goform' CGI handlers compiled into the embedded web server. The vulnerable function formWanTcpipSetup handles WAN configuration POST requests and copies the pppUserName argument into a fixed-size stack buffer without bounds validation, which matches the CWE-120 classic buffer copy without checking size of input. On MIPS/ARM-based SOHO routers like the BR-6428NS, such stack overflows typically overwrite the saved return address and can be leveraged for arbitrary code execution because the device firmware generally lacks modern mitigations such as ASLR, stack canaries, or non-executable stacks.

RemediationAI

No vendor-released patch identified at time of analysis, as the vendor did not respond to the disclosure reported by VulDB. Operators should immediately restrict access to the router's web administration interface by ensuring it is not exposed to the WAN (disable any 'Remote Management' or 'WAN Access' settings) and by placing the LAN-side admin interface behind firewall rules limiting it to trusted management hosts only, accepting the trade-off of needing console or physical access for configuration changes. Change any default or weak admin credentials to mitigate the PR:L precondition, and given the BR-6428NS is a legacy consumer router with no responsive vendor, the most defensible long-term action is to replace the device with a currently-supported model; consult the VulDB record at https://vuldb.com/vuln/365241 and the public exploit write-up at https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6428NS-formWanTcpipSetup-34b53a41781f80049b27db22e62fd8fd for indicator and detection details.

Share

EUVD-2026-31529 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy