Skip to main content

Edimax BR-6428NS EUVDEUVD-2026-31531

| CVE-2026-9296 LOW
Command Injection (CWE-77)
2026-05-23 VulDB GHSA-4cf7-8gr7-m2jf
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
May 26, 2026 - 19:37 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 19:37 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 23, 2026 - 10:31 vuln.today

DescriptionCVE.org

A weakness has been identified in Edimax BR-6428NS 1.10. This impacts the function system of the file /goform/formWlanM of the component POST Request Handler. Executing a manipulation of the argument ateFunc/ateGain/ateTxCount/ateChan/ateRate/ateMacID/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/ateTxFreqOffset/ateMode/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/e2pTxPwDeltaN/readE2P can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Command injection in Edimax BR-6428NS firmware version 1.10 exposes the device's operating system to remote command execution via the /goform/formWlanM POST request handler. An authenticated remote attacker (PR:L per CVSS) can manipulate any of 29+ wireless calibration and ATE parameters - including ateFunc, ateGain, e2pTxPower series, and readE2P - to inject arbitrary shell commands into the device OS. No vendor patch exists as Edimax did not respond to responsible disclosure; a publicly available exploit exists, and the breadth of vulnerable parameters indicates a systemic absence of input sanitization across the wlanM form handler.

Technical ContextAI

The affected endpoint /goform/formWlanM is a CGI-style POST handler embedded in the Edimax BR-6428NS SOHO router firmware (CPE: cpe:2.3:a:edimax:br-6428ns:*:*:*:*:*:*:*:*). The parameters at issue span two functional groups: ATE (Antenna Test Equipment) fields used for manufacturing RF calibration (ateFunc, ateGain, ateTxCount, ateChan, ateRate, ateMacID, ateTxFreqOffset, ateMode, ateBW, ateAntenna) and EEPROM calibration fields (e2pTxPower1-7, e2pTx2Power1-7, e2pTxFreqOffset, e2pTxPwDeltaB/G/Mix/N, readE2P). CWE-77 (Improper Neutralization of Special Elements Used in a Command) indicates that user-supplied POST parameter values are passed unsanitized to an internal shell command execution function - common in embedded Linux-based router firmware where shell scripts or system() calls process form inputs. The sheer number of injectable parameters (29+) suggests no sanitization layer exists at the handler level.

RemediationAI

No vendor-released patch identified at time of analysis - Edimax did not respond to the responsible disclosure attempt, leaving no official fix path. As immediate compensating controls: restrict access to the device's HTTP management interface (typically port 80) to trusted internal IP ranges only, blocking all external access at the network perimeter or upstream firewall; this eliminates the AV:N exposure without affecting normal device operation. If remote management is required, enforce VPN-gated access before the management interface is reachable, raising the effective authentication bar beyond the device's own credential check. Audit and change default credentials immediately, as default admin passwords on Edimax devices are widely documented and would satisfy the PR:L prerequisite in practice. Consider replacing the BR-6428NS with a currently supported device from a vendor with an active security response program - no mitigations fully compensate for an unpatched command injection with a public exploit. Vulnerability reference: https://vuldb.com/vuln/365243.

Share

EUVD-2026-31531 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy