VYPR
Vypr IntelligenceAI-generatedMay 31, 2026· 12 CVEs

Edimax BR-6675nD: 12 CVEs Disclosed — Buffer Overflows and Command Injection Cluster

A batch of 12 vulnerabilities hit the Edimax BR-6675nD router on May 24–25, 2026, mixing buffer overflows and command injection flaws across a dozen POST-handler endpoints.

Key findings

  • 12 CVEs disclosed May 24–25, 2026 for Edimax BR-6675nD firmware 1.12
  • 7 buffer overflow flaws (CVSS 8.8) in WAN-setup and wireless survey handlers
  • 5 command injection flaws (CVSS 4.7–6.3) in WPS, USB, hardware-set, and status endpoints
  • All exploits publicly released; all vulnerabilities remotely exploitable
  • No patch available yet — vendor contacted prior to disclosure
  • Five overflows target PPPoE/PPTP/L2TP username fields, indicating systemic input-validation gaps

On May 24–25, 2026, a cluster of 12 CVEs was disclosed targeting the Edimax BR-6675nD router running firmware version 1.12. The batch spans two distinct bug classes — buffer overflow and command injection — across a dozen /goform/ POST-handler endpoints, with exploits publicly released for every vulnerability. Seven of the 12 carry a High severity rating (CVSSv3 8.8), making this one of the more serious same-day disclosure events for a consumer SOHO router in recent memory.

Buffer overflow cluster (7 CVEs, all High severity)

The largest thematic group in this batch is a set of seven buffer overflow vulnerabilities, each rated CVSSv3 8.8. They all follow the same pattern: a POST request handler in the router's web management interface copies a user-supplied argument into a fixed-size buffer without proper bounds checking. The affected functions and their respective arguments are:

  • CVE-2026-9403formWlSiteSurvey, argument selSSID
  • CVE-2026-9401formWanTcpipSetup, argument pppUserName
  • CVE-2026-9399formsetPPPoE, argument pppUserName
  • CVE-2026-9382formPPTPSetup, argument pptpUserName
  • CVE-2026-9381formPPPoESetup, argument pppUserName
  • CVE-2026-9380formL2TPSetup, argument L2TPUserName
  • CVE-2026-9402formWlanMP, arguments ateFunc/ateGain/ateRate/ateChan/ateTxCount/e2pTx2Power1 through e2pTx2Power5

The pattern is striking: five of the seven overflows involve PPPoE, PPTP, or L2TP username fields (pppUserName, pptpUserName, L2TPUserName), suggesting a systemic lack of input validation in the router's WAN connection-setup handlers. The CVE-2026-9402 entry is notable for the sheer number of manipulable arguments — 11 separate parameters in the manufacturing-test (ate) and EEPROM-power (e2pTx2Power) argument families.

Command injection cluster (5 CVEs, Medium severity)

The remaining five vulnerabilities are command injection flaws, each rated CVSSv3 6.3 except CVE-2026-9423 which comes in at 4.7. These allow an attacker to inject arbitrary operating-system commands through unsanitized arguments sent to the router's /goform/ endpoints:

  • CVE-2026-9439stainfo, argument interface
  • CVE-2026-9423mp, argument command
  • CVE-2026-9400formUSBStorage, argument sub_dir
  • CVE-2026-9379formWpsStart, argument pinCode
  • CVE-2026-9378formHwSet, arguments regDomain/ABandregDomain/nic0Addr/nic1Addr/wlanAddr/inicAddr

The CVE-2026-9378 entry is particularly broad: it covers six separate hardware-set arguments including MAC addresses (nic0Addr, nic1Addr, wlanAddr, inicAddr) and regulatory-domain settings (regDomain, ABandregDomain). The CVE-2026-9379 flaw in the WPS start handler (formWpsStart, argument pinCode) is especially concerning because WPS is often left enabled on consumer routers and can be triggered without authentication in many implementations.

Impact and exploitation context

Every CVE in this batch has its exploit publicly disclosed, according to the CVE descriptions. This means proof-of-concept code is already available, lowering the barrier to attack. All 12 vulnerabilities are remotely exploitable — an attacker only needs network access to the router's web management interface. The Edimax BR-6675nD is a dual-band wireless N router commonly deployed in small offices and home networks, where the management interface is frequently exposed on the LAN side and sometimes inadvertently exposed to the WAN.

No in-the-wild exploitation campaigns have been reported in the available sources, but the public availability of exploits combined with the High severity of the overflow cluster makes this a batch that defenders should treat with urgency.

Response and patch status

The vendor was contacted prior to disclosure. At the time of publication, no patch or firmware update beyond version 1.12 has been announced. Users of the Edimax BR-6675nD should monitor Edimax's support portal for a firmware update. As an interim mitigation, administrators should ensure the router's web management interface is not accessible from the WAN side and restrict LAN access to trusted devices only. Disabling WPS and USB storage features can reduce the attack surface for CVE-2026-9379 and CVE-2026-9400, respectively.

Why this matters

This batch is a textbook example of the vulnerability density that can accumulate in aging SOHO router firmware. The BR-6675nD is not a new device, and version 1.12 appears to be its current release — meaning these 12 flaws represent the state of the art for an unpatched unit. The mix of buffer overflows and command injections across configuration, WAN setup, WPS, and USB-storage handlers suggests that input validation was not applied systematically anywhere in the /goform/ POST handler family. For users still relying on this router, the message is clear: either apply a firmware update as soon as one ships, or plan for a hardware replacement.

AI-written article. Grounded in 12 CVE records listed below.