{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/br-6478ac-1.23/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-10125"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BR-6478AC 1.23"],"_cs_severities":["critical"],"_cs_tags":["cve","CVE-2026-10125","buffer overflow","edimax","router","rce"],"_cs_type":"threat","_cs_vendors":["Edimax"],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability, CVE-2026-10125, has been identified in Edimax BR-6478AC version 1.23. The vulnerability lies within the \u003ccode\u003eformPPPoESetup\u003c/code\u003e function located in the \u003ccode\u003e/goform/formPPPoESetup\u003c/code\u003e file, a part of the POST Request Handler component. This flaw allows a remote attacker to execute arbitrary code by exploiting the \u003ccode\u003epppUserName\u003c/code\u003e argument. The vulnerability is triggered via a specially crafted POST request. Given that a public exploit is available, this poses a significant risk to systems utilizing the affected Edimax router model, making them susceptible to remote code execution. Defenders should implement mitigations and detections to identify and prevent potential exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Edimax BR-6478AC 1.23 router exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/goform/formPPPoESetup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a \u003ccode\u003epppUserName\u003c/code\u003e argument with a payload exceeding the buffer\u0026rsquo;s capacity, triggering the stack-based buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites adjacent memory on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eThe overwritten return address points to attacker-controlled code or a ROP chain.\u003c/li\u003e\n\u003cli\u003eThe router processes the crafted POST request, executing the \u003ccode\u003eformPPPoESetup\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe function attempts to return, but instead jumps to the attacker-controlled address, leading to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the router and can perform actions such as modifying settings, eavesdropping on network traffic, or using the router as a botnet node.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to gain complete control over the Edimax BR-6478AC router. This can lead to a variety of malicious activities, including unauthorized network access, data theft, modification of router settings, and the use of the compromised device as part of a botnet. Given the availability of a public exploit, mass exploitation is possible, potentially impacting numerous home and small business networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-10125 Exploitation Attempt via Long PPPoE Username\u003c/code\u003e to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for POST requests to \u003ccode\u003e/goform/formPPPoESetup\u003c/code\u003e with abnormally long \u003ccode\u003epppUserName\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity originating from Edimax BR-6478AC devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-30T16:22:43Z","date_published":"2026-05-30T16:22:43Z","id":"https://feed.craftedsignal.io/briefs/2026-05-edimax-buffer-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-10125) exists in the formPPPoESetup function of the /goform/formPPPoESetup file in Edimax BR-6478AC version 1.23, allowing a remote attacker to execute arbitrary code by manipulating the pppUserName argument in a POST request; a public exploit is available.","title":"Edimax BR-6478AC Stack-Based Buffer Overflow Vulnerability (CVE-2026-10125)","url":"https://feed.craftedsignal.io/briefs/2026-05-edimax-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — BR-6478AC 1.23","version":"https://jsonfeed.org/version/1.1"}