Edimax BR-6478AC Stack-Based Buffer Overflow Vulnerability (CVE-2026-10125)
A stack-based buffer overflow vulnerability (CVE-2026-10125) exists in the formPPPoESetup function of the /goform/formPPPoESetup file in Edimax BR-6478AC version 1.23, allowing a remote attacker to execute arbitrary code by manipulating the pppUserName argument in a POST request; a public exploit is available.
A stack-based buffer overflow vulnerability, CVE-2026-10125, has been identified in Edimax BR-6478AC version 1.23. The vulnerability lies within the formPPPoESetup function located in the /goform/formPPPoESetup file, a part of the POST Request Handler component. This flaw allows a remote attacker to execute arbitrary code by exploiting the pppUserName argument. The vulnerability is triggered via a specially crafted POST request. Given that a public exploit is available, this poses a significant risk to systems utilizing the affected Edimax router model, making them susceptible to remote code execution. Defenders should implement mitigations and detections to identify and prevent potential exploitation attempts.
Attack Chain
- The attacker identifies an Edimax BR-6478AC 1.23 router exposed to the internet.
- The attacker crafts a malicious POST request targeting the
/goform/formPPPoESetupendpoint. - The POST request includes a
pppUserNameargument with a payload exceeding the buffer's capacity, triggering the stack-based buffer overflow. - The overflow overwrites adjacent memory on the stack, including the return address.
- The overwritten return address points to attacker-controlled code or a ROP chain.
- The router processes the crafted POST request, executing the
formPPPoESetupfunction. - The function attempts to return, but instead jumps to the attacker-controlled address, leading to arbitrary code execution.
- The attacker gains control of the router and can perform actions such as modifying settings, eavesdropping on network traffic, or using the router as a botnet node.
Impact
Successful exploitation of this vulnerability allows a remote attacker to gain complete control over the Edimax BR-6478AC router. This can lead to a variety of malicious activities, including unauthorized network access, data theft, modification of router settings, and the use of the compromised device as part of a botnet. Given the availability of a public exploit, mass exploitation is possible, potentially impacting numerous home and small business networks.
Recommendation
- Deploy the Sigma rule
Detect CVE-2026-10125 Exploitation Attempt via Long PPPoE Usernameto detect exploitation attempts in web server logs. - Inspect web server logs for POST requests to
/goform/formPPPoESetupwith abnormally longpppUserNamevalues. - Monitor network traffic for suspicious activity originating from Edimax BR-6478AC devices.
Detection coverage 2
Detect CVE-2026-10125 Exploitation Attempt via Long PPPoE Username
highDetects CVE-2026-10125 exploitation attempt via abnormally long pppUserName parameter in POST request to /goform/formPPPoESetup
Detect CVE-2026-10125 Exploitation Attempt via PPPoE Setup Endpoint Access
mediumDetects CVE-2026-10125 exploitation attempt by monitoring access to the /goform/formPPPoESetup endpoint using the POST method, which is unusual for normal operations.
Detection queries are available on the platform. Get full rules →