Skip to content
Threat Feed
critical threat

Edimax BR-6478AC Stack-Based Buffer Overflow Vulnerability (CVE-2026-10125)

A stack-based buffer overflow vulnerability (CVE-2026-10125) exists in the formPPPoESetup function of the /goform/formPPPoESetup file in Edimax BR-6478AC version 1.23, allowing a remote attacker to execute arbitrary code by manipulating the pppUserName argument in a POST request; a public exploit is available.

A stack-based buffer overflow vulnerability, CVE-2026-10125, has been identified in Edimax BR-6478AC version 1.23. The vulnerability lies within the formPPPoESetup function located in the /goform/formPPPoESetup file, a part of the POST Request Handler component. This flaw allows a remote attacker to execute arbitrary code by exploiting the pppUserName argument. The vulnerability is triggered via a specially crafted POST request. Given that a public exploit is available, this poses a significant risk to systems utilizing the affected Edimax router model, making them susceptible to remote code execution. Defenders should implement mitigations and detections to identify and prevent potential exploitation attempts.

Attack Chain

  1. The attacker identifies an Edimax BR-6478AC 1.23 router exposed to the internet.
  2. The attacker crafts a malicious POST request targeting the /goform/formPPPoESetup endpoint.
  3. The POST request includes a pppUserName argument with a payload exceeding the buffer's capacity, triggering the stack-based buffer overflow.
  4. The overflow overwrites adjacent memory on the stack, including the return address.
  5. The overwritten return address points to attacker-controlled code or a ROP chain.
  6. The router processes the crafted POST request, executing the formPPPoESetup function.
  7. The function attempts to return, but instead jumps to the attacker-controlled address, leading to arbitrary code execution.
  8. The attacker gains control of the router and can perform actions such as modifying settings, eavesdropping on network traffic, or using the router as a botnet node.

Impact

Successful exploitation of this vulnerability allows a remote attacker to gain complete control over the Edimax BR-6478AC router. This can lead to a variety of malicious activities, including unauthorized network access, data theft, modification of router settings, and the use of the compromised device as part of a botnet. Given the availability of a public exploit, mass exploitation is possible, potentially impacting numerous home and small business networks.

Recommendation

  • Deploy the Sigma rule Detect CVE-2026-10125 Exploitation Attempt via Long PPPoE Username to detect exploitation attempts in web server logs.
  • Inspect web server logs for POST requests to /goform/formPPPoESetup with abnormally long pppUserName values.
  • Monitor network traffic for suspicious activity originating from Edimax BR-6478AC devices.

Detection coverage 2

Detect CVE-2026-10125 Exploitation Attempt via Long PPPoE Username

high

Detects CVE-2026-10125 exploitation attempt via abnormally long pppUserName parameter in POST request to /goform/formPPPoESetup

sigma tactics: initial_access techniques: T1189 sources: webserver

Detect CVE-2026-10125 Exploitation Attempt via PPPoE Setup Endpoint Access

medium

Detects CVE-2026-10125 exploitation attempt by monitoring access to the /goform/formPPPoESetup endpoint using the POST method, which is unusual for normal operations.

sigma tactics: initial_access techniques: T1189 sources: webserver

Detection queries are available on the platform. Get full rules →