CVE-2026-10166 Edimax CVE debrief

Who should care

Network administrators managing Edimax BR-6478AC deployments, security teams responsible for IoT and network infrastructure protection, and organizations using this router model for wireless access or as edge network equipment.

Technical summary

The Edimax BR-6478AC wireless router running firmware version 1.23 contains a command injection vulnerability in the formWlbasic function of the /goform/formWlbasic POST request handler. The rootAPmac parameter is passed to a command execution context without adequate input validation or sanitization, permitting shell metacharacters and command separators to be interpreted by the underlying operating system. Successful exploitation allows a remote attacker with low privileges to execute arbitrary commands on the device. The attack requires network access to the router's web management interface and does not require user interaction. The vulnerability has been publicly disclosed and exploit details are available.

Defensive priority

medium

Recommended defensive actions

• Restrict network access to the router's administrative interface to trusted management networks only
• Monitor for unauthorized POST requests to /goform/formWlbasic containing anomalous rootAPmac parameter values
• Apply firmware updates from Edimax if and when available for the BR-6478AC model
• Consider replacing end-of-life router hardware if vendor patches are not forthcoming
• Implement network segmentation to isolate IoT and router management traffic from production networks

Evidence notes

Vulnerability disclosed via VulDB with references to a Notion-hosted technical writeup and VulDB entries. CVE published and modified 2026-05-31. CVSS 4.0 score of 2.1 rated LOW severity. Weaknesses identified as CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-77 (Command Injection). Vendor attribution is uncertain with low confidence based on reference domain candidate analysis.

Official resources