{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/br-6675nd-1.12/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-9381"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BR-6675nD 1.12"],"_cs_severities":["high"],"_cs_tags":["buffer overflow","remote code execution","cve"],"_cs_type":"advisory","_cs_vendors":["Edimax"],"content_html":"\u003cp\u003eA buffer overflow vulnerability, identified as CVE-2026-9381, has been discovered in Edimax BR-6675nD version 1.12. The vulnerability resides within the \u003ccode\u003eformPPPoESetup\u003c/code\u003e function located in the \u003ccode\u003e/goform/formPPPoESetup\u003c/code\u003e file, which handles POST requests to the device\u0026rsquo;s web interface. An attacker can trigger a buffer overflow by manipulating the \u003ccode\u003epppUserName\u003c/code\u003e argument passed to this function. The vulnerability is remotely exploitable and, due to the publication of a public exploit, poses an elevated risk. The vendor, Edimax, has reportedly not responded to vulnerability disclosure attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an Edimax BR-6675nD router running firmware version 1.12.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/formPPPoESetup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003epppUserName\u003c/code\u003e parameter with a value exceeding the expected buffer size.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s web server processes the POST request and passes the oversized \u003ccode\u003epppUserName\u003c/code\u003e value to the \u003ccode\u003eformPPPoESetup\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformPPPoESetup\u003c/code\u003e function attempts to copy the attacker-controlled \u003ccode\u003epppUserName\u003c/code\u003e value into a fixed-size buffer without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow occurs, overwriting adjacent memory regions on the stack or heap.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the overflow to overwrite critical data such as return addresses, potentially hijacking control flow.\u003c/li\u003e\n\u003cli\u003eUpon function return, the overwritten return address redirects execution to attacker-controlled code, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9381 can lead to arbitrary code execution on the affected Edimax BR-6675nD router. This can allow an attacker to gain complete control of the device, potentially enabling them to intercept network traffic, modify router configurations, or use the router as a pivot point for further attacks within the network. Given the widespread use of Edimax routers in home and small business environments, a large number of devices are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/formPPPoESetup\u003c/code\u003e with unusually long \u003ccode\u003epppUserName\u003c/code\u003e values to detect potential exploitation attempts (see Sigma rule \u003ccode\u003eDetect CVE-2026-9381 Exploitation Attempt via Long pppUserName\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on POST requests to the \u003ccode\u003e/goform/formPPPoESetup\u003c/code\u003e endpoint to mitigate potential brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-9381 Exploitation Success via Shell Spawn\u003c/code\u003e to identify command execution following successful exploitation.\u003c/li\u003e\n\u003cli\u003eContact Edimax support and request a security patch for CVE-2026-9381 to address the underlying vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:48:10Z","date_published":"2026-05-26T13:48:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-edimax-br-6675nd-buffer-overflow/","summary":"A remote buffer overflow vulnerability (CVE-2026-9381) exists in the `formPPPoESetup` function of the Edimax BR-6675nD 1.12 router's web management interface, allowing unauthenticated attackers to potentially execute arbitrary code by manipulating the `pppUserName` argument in a POST request.","title":"Edimax BR-6675nD Remote Buffer Overflow Vulnerability (CVE-2026-9381)","url":"https://feed.craftedsignal.io/briefs/2026-05-edimax-br-6675nd-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — BR-6675nD 1.12","version":"https://jsonfeed.org/version/1.1"}