Skip to main content

Edimax BR-6675nD EUVD-2026-31600

| CVE-2026-9399 HIGH
Classic Buffer Overflow (CWE-120)
2026-05-24 VulDB GHSA-m37x-3837-x5f2
Buffer Overflow Br 6675Nd
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 08:51 vuln.today
CVSS changed
May 26, 2026 - 19:37 NVD
8.8 (HIGH) 7.4 (HIGH)

DescriptionCVE.org

A vulnerability was detected in Edimax BR-6675nD 1.12. This vulnerability affects the function formsetPPPoE of the file /goform/formsetPPPoE of the component POST Request Handler. Performing a manipulation of the argument pppUserName results in buffer overflow. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stack buffer overflow in the Edimax BR-6675nD 1.12 wireless router allows remote authenticated attackers to corrupt memory and achieve total compromise via a crafted pppUserName parameter sent to /goform/formsetPPPoE. Publicly available exploit code exists and the vendor did not respond to the disclosure, leaving deployed devices exposed without an official fix. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach router web UI on LAN or exposed WAN
Delivery
Authenticate with admin (often default) credentials
Exploit
Send POST to /goform/formsetPPPoE with oversized pppUserName
Install
Overflow stack buffer in handler
C2
Hijack saved return address
Execute
Execute shellcode as root
Impact
Persist on device and pivot into LAN
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reachability to the router's HTTP administration interface, which by default listens only on the LAN unless remote management has been enabled, (2) valid low-privilege web UI credentials per the CVSS PR:L designation - in practice typically the device admin account, often left at vendor defaults on this consumer model, and (3) the ability to send an authenticated POST to /goform/formsetPPPoE with an oversized pppUserName parameter to the formsetPPPoE handler. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) scores 7.4 and indicates network-reachable, low-complexity exploitation requiring low-privilege authentication - meaning a valid web UI session is needed, which on consumer routers is often the well-known default admin/admin credential pair. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained access to the router's web admin interface - for example a malicious user on the LAN, a guest Wi-Fi client who recovered the default admin password, or an attacker exploiting an exposed WAN-side admin panel - logs in and issues a POST to /goform/formsetPPPoE with an oversized pppUserName value. The overflow overwrites the saved return address in the formsetPPPoE handler and redirects execution to attacker-controlled shellcode, yielding code execution at the privilege level of the web server process (typically root on these embedded devices) and full device takeover suitable for traffic interception, DNS hijacking, or pivoting into the LAN. …
Remediation No vendor-released patch identified at time of analysis, as the vendor did not respond to the VulDB disclosure attempt. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and inventory all Edimax BR-6675nD 1.12 routers in the environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-31600 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy