Skip to content
Threat Feed
high advisory

Edimax BR-6675nD Remote Buffer Overflow Vulnerability (CVE-2026-9381)

A remote buffer overflow vulnerability (CVE-2026-9381) exists in the `formPPPoESetup` function of the Edimax BR-6675nD 1.12 router's web management interface, allowing unauthenticated attackers to potentially execute arbitrary code by manipulating the `pppUserName` argument in a POST request.

A buffer overflow vulnerability, identified as CVE-2026-9381, has been discovered in Edimax BR-6675nD version 1.12. The vulnerability resides within the formPPPoESetup function located in the /goform/formPPPoESetup file, which handles POST requests to the device’s web interface. An attacker can trigger a buffer overflow by manipulating the pppUserName argument passed to this function. The vulnerability is remotely exploitable and, due to the publication of a public exploit, poses an elevated risk. The vendor, Edimax, has reportedly not responded to vulnerability disclosure attempts.

Attack Chain

  1. An attacker identifies an Edimax BR-6675nD router running firmware version 1.12.
  2. The attacker crafts a malicious HTTP POST request targeting the /goform/formPPPoESetup endpoint.
  3. The POST request includes the pppUserName parameter with a value exceeding the expected buffer size.
  4. The router’s web server processes the POST request and passes the oversized pppUserName value to the formPPPoESetup function.
  5. The formPPPoESetup function attempts to copy the attacker-controlled pppUserName value into a fixed-size buffer without proper bounds checking.
  6. The buffer overflow occurs, overwriting adjacent memory regions on the stack or heap.
  7. The attacker leverages the overflow to overwrite critical data such as return addresses, potentially hijacking control flow.
  8. Upon function return, the overwritten return address redirects execution to attacker-controlled code, achieving remote code execution.

Impact

Successful exploitation of CVE-2026-9381 can lead to arbitrary code execution on the affected Edimax BR-6675nD router. This can allow an attacker to gain complete control of the device, potentially enabling them to intercept network traffic, modify router configurations, or use the router as a pivot point for further attacks within the network. Given the widespread use of Edimax routers in home and small business environments, a large number of devices are potentially vulnerable.

Recommendation

  • Monitor web server logs for suspicious POST requests to /goform/formPPPoESetup with unusually long pppUserName values to detect potential exploitation attempts (see Sigma rule Detect CVE-2026-9381 Exploitation Attempt via Long pppUserName).
  • Implement rate limiting on POST requests to the /goform/formPPPoESetup endpoint to mitigate potential brute-force exploitation attempts.
  • Deploy the Sigma rule Detect CVE-2026-9381 Exploitation Success via Shell Spawn to identify command execution following successful exploitation.
  • Contact Edimax support and request a security patch for CVE-2026-9381 to address the underlying vulnerability.

Detection coverage 2

Detect CVE-2026-9381 Exploitation Attempt via Long pppUserName

medium

Detects CVE-2026-9381 exploitation — Monitors web server logs for POST requests to /goform/formPPPoESetup with unusually long pppUserName values, indicating a potential buffer overflow attempt.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detect CVE-2026-9381 Exploitation Success via Shell Spawn

high

Detects CVE-2026-9381 exploitation — Monitors process creation for shell processes spawned from a process associated with web requests, potentially indicating command execution following a buffer overflow.

sigma tactics: execution techniques: T1059.004 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →