PatchSiren cyber security CVE debrief
CVE-2026-9296 Edimax CVE debrief
A command injection vulnerability exists in the Edimax BR-6428NS router firmware version 1.10. The vulnerability resides in the POST request handler for the `/goform/formWlanM` endpoint, where multiple parameters—including `ateFunc`, `ateGain`, `ateTxCount`, `ateChan`, `ateRate`, `ateMacID`, `e2pTxPower1` through `e2pTxPower7`, `e2pTx2Power1` through `e2pTx2Power7`, `ateTxFreqOffset`, `ateMode`, `ateBW`, `ateAntenna`, `e2pTxFreqOffset`, `e2pTxPwDeltaB`, `e2pTxPwDeltaG`, `e2pTxPwDeltaMix`, `e2pTxPwDeltaN`, and `readE2P`—are susceptible to command injection through improper input sanitization. The vulnerability can be exploited remotely by an authenticated attacker with low privileges. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges (though the description suggests authentication may be required), and low impacts to confidentiality, integrity, and availability. The exploit has been publicly disclosed, and the vendor was reportedly contacted but did not respond. The vulnerability status in NVD is currently marked as 'Deferred'.
- Vendor
- Edimax
- Product
- BR-6428NS
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-23
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-23
- Advisory updated
- 2026-05-26
Who should care
Network administrators managing Edimax BR-6428NS deployments, security teams responsible for SOHO router infrastructure, and organizations with remote workers using this equipment for home office connectivity
Technical summary
The Edimax BR-6428NS router firmware version 1.10 contains a command injection vulnerability in the `/goform/formWlanM` endpoint's POST request handler. The `system()` function is called with unsanitized input from 25 distinct parameters related to ATE (Advanced Test Equipment) and EEPROM configuration functions. An attacker can inject shell commands through these parameters, which are then executed with the privileges of the web server process. The vulnerability is remotely exploitable and a public exploit is available.
Defensive priority
medium
Recommended defensive actions
- Restrict administrative access to the router management interface to trusted internal networks only
- Implement network segmentation to isolate affected routers from untrusted networks
- Monitor for suspicious POST requests to /goform/formWlanM containing shell metacharacters or command sequences
- Apply firmware updates from Edimax if and when available
- Consider replacing affected hardware if vendor patches are not forthcoming
- Review and disable remote administration features if not strictly required
Evidence notes
Vulnerability identified through VulDB submission (ID 811535) and published in NVD with 'Deferred' status. Multiple source references confirm technical details including affected parameters and endpoint. CVSS 4.0 scoring applied.
Official resources
Public disclosure occurred on 2026-05-23 with exploit availability confirmed. Vendor non-response documented.