Edimax BR-6428NS Buffer Overflow Vulnerability (CVE-2026-8776)

A buffer overflow vulnerability, identified as CVE-2026-8776, has been discovered in Edimax BR-6428NS router version 1.10. The vulnerability resides within the POST Request Handler component, specifically in the /goform/formPPTPSetup file and its formPPTPSetup function. Successful exploitation of this vulnerability allows a remote attacker to potentially execute arbitrary code. The vulnerability stems from the inadequate handling of the pptpUserName argument, which, when manipulated, leads to a buffer overflow condition. Publicly available exploit code exists, increasing the risk of active exploitation. The vendor was notified but has not responded.

Attack Chain

1. The attacker identifies an Edimax BR-6428NS router version 1.10 with a publicly accessible web interface.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/formPPTPSetup endpoint.
3. The crafted POST request includes the pptpUserName parameter with a value exceeding the expected buffer size.
4. The webserver receives the POST request and passes the pptpUserName argument to the formPPTPSetup function.
5. The formPPTPSetup function copies the overly long pptpUserName into a fixed-size buffer without proper bounds checking.
6. This buffer overflow overwrites adjacent memory regions, potentially including critical program data or execution pointers.
7. The attacker gains the ability to execute arbitrary code on the router.
8. The attacker could then use this access to modify router settings, intercept network traffic, or establish a persistent backdoor.

Impact

Successful exploitation of CVE-2026-8776 allows a remote attacker to execute arbitrary code on the Edimax BR-6428NS router. This could allow the attacker to gain full control of the device, potentially compromising the network it serves. Given the lack of vendor response and the availability of public exploits, affected devices are at significant risk. This is especially impactful for small businesses and home users who often lack sophisticated security measures.

Recommendation

• Deploy the Sigma rule “Detect CVE-2026-8776 Exploitation Attempt — Malicious PPTP Username” to detect exploitation attempts (see below).
• Monitor web server logs for POST requests to /goform/formPPTPSetup with unusually long pptpUserName values.
• Consider using a web application firewall (WAF) to filter out malicious requests targeting the vulnerable endpoint.
• If possible, disable the PPTP functionality of the router if not required.
• While a patch is unavailable, network segmentation can limit the impact of a compromised device.