Seven Remote-Code-Execution Flaws Disclosed in Edimax BR-6478AC Router; No Patch Available
Seven vulnerabilities, including command injection and stack-based buffer overflows, have been disclosed for the Edimax BR-6478AC router, all remotely exploitable with public exploit code already circulating.
On May 30–31, 2026, seven distinct vulnerabilities were disclosed for the Edimax BR-6478AC wireless router running firmware version 1.23. Published across a 12-hour window, the batch includes three command-injection flaws and four stack-based buffer overflows — all remotely exploitable via the router's POST request handler endpoints. Public exploit code has been released for every CVE in the set, raising the urgency for the estimated thousands of these devices still deployed in SOHO environments.
Three of the seven CVEs are command-injection vulnerabilities in the router's web management interface. CVE-2026-10166 and CVE-2026-10127 both involve the argument rootAPmac — the former in the /goform/formWlbasic endpoint (wireless basic settings), the latter in /goform/formStaDrvSetup (station driver setup). CVE-2026-10166 was disclosed on May 31, while CVE-2026-10127 was published a day earlier on May 30. The third command-injection CVE is CVE-2026-10166 (the same ID — the batch contains two distinct command-injection flaws, with CVE-2026-10127 being the other). An attacker who can reach the router's management interface can inject arbitrary OS commands by crafting a malicious rootAPmac parameter in a POST request. Each carries a CVSSv3 score of 6.3 (Medium).
The remaining four CVEs are stack-based buffer overflow vulnerabilities, all rated High at CVSSv3 8.8. CVE-2026-10165 and CVE-2026-10125 both target the pppUserName argument — the former in /goform/formWanTcpipSetup (WAN TCP/IP setup) and the latter in /goform/formPPPoESetup (PPPoE configuration). CVE-2026-10164 affects the ShareName and SelectName arguments in /goform/formUSBFolder (USB folder sharing), while CVE-2026-10163 targets the UserName and Password arguments in /goform/formUSBAccount (USB account management). CVE-2026-10126 rounds out the overflow set, affecting the selSSID argument in /goform/formQoS (QoS settings). All four allow remote attackers to corrupt stack memory and potentially achieve arbitrary code execution on the device.
Every CVE in this batch has public exploit code available, according to the disclosure data. This dramatically lowers the barrier to entry for attackers: proof-of-concept code is already circulating, meaning active scanning for vulnerable BR-6478AC units is likely underway. Because these are router-level vulnerabilities, successful exploitation could give an attacker full control over the victim's network gateway — enabling traffic interception, DNS redirection, credential theft, or lateral movement into internal networks.
The Edimax BR-6478AC is an AC1200 dual-band wireless router commonly deployed in small offices and home networks. Firmware version 1.23 is the affected build across all seven CVEs. As of the disclosure date, no patch or updated firmware has been announced by Edimax.
At the time of publication, Edimax has not released a security advisory or firmware update addressing this batch. Users of the BR-6478AC on firmware 1.23 should consider the following mitigations: disable remote management (WAN-side access to the web interface) if enabled; restrict LAN-side access to the administration panel to trusted devices only; monitor for unusual traffic or unauthorized configuration changes; and check the Edimax support portal regularly for a firmware patch. Given that public exploits exist and no fix is yet available, the safest course for organizations relying on this model is to isolate or replace the device until a patched firmware is released.
The simultaneous disclosure of seven remotely exploitable vulnerabilities — spanning both command injection and buffer overflow classes — with public exploit code for each makes this an unusually high-risk event for a single consumer-router model. The absence of a coordinated patch at disclosure time places the burden entirely on users to implement workarounds. This batch serves as a reminder that end-of-life or unpatched SOHO routers remain one of the most accessible footholds for network compromise, and that the window between public exploit publication and active scanning is now measured in hours, not days.