CVE-2026-12810 Edimax CVE debrief

Who should care

Defenders responsible for Edimax BR-6478AC V2 devices, particularly those using version 1.23, should prioritize patching this vulnerability. Additionally, security teams monitoring for potential command injection attacks should be aware of this issue. Given the low CVSS score, it may not be a immediate priority, but it should be addressed in the regular patching cycle.

Technical summary

The vulnerability exists in the mp function of the /goform/mp file in Edimax BR-6478AC V2 version 1.23. An attacker can inject commands by manipulating the 'command' argument in a POST request. This vulnerability is identified as CWE-74 and CWE-77. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, indicating a low severity score of 2.1.

Defensive priority

Low priority due to CVSS score of 2.1, but still recommended for patching in regular cycles.

Recommended defensive actions

• Apply the vendor patch for Edimax BR-6478AC V2 version 1.23.
• Limit exposure by restricting access to the /goform/mp endpoint.
• Monitor for suspicious POST requests to /goform/mp.
• Review and update the device's configuration to prevent unnecessary exposure.
• Verify the device's version and ensure it is patched.

Evidence notes

The primary evidence for this vulnerability comes from the NVD and Vuldb sources. The affected product is Edimax BR-6478AC V2 version 1.23. The vulnerability allows for remote command injection via the mp function in /goform/mp. The CVSS score is 2.1, indicating low severity. The vendor has not provided a response to this disclosure.

Official resources