PatchSiren cyber security CVE debrief
CVE-2026-9379 Edimax CVE debrief
A command injection vulnerability exists in the Edimax BR-6675nD router firmware version 1.12. The vulnerability is located in the formWpsStart function within the /goform/formWpsStart endpoint, where the pinCode parameter in POST requests is not properly sanitized, allowing remote attackers to inject and execute arbitrary commands. The vulnerability has a CVSS 4.0 base score of 2.1 (LOW severity) with the vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The attack requires network access and low privileges but no user interaction. The exploit has been publicly disclosed and is available, increasing the risk of active exploitation. The vendor was contacted prior to disclosure but did not respond. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-77 (Improper Neutralization of Special Elements used in a Command).
- Vendor
- Edimax
- Product
- BR-6675nD
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-24
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-24
- Advisory updated
- 2026-05-26
Who should care
Organizations using Edimax BR-6675nD routers in production environments, network administrators responsible for SOHO router deployments, security teams monitoring for IoT/embedded device vulnerabilities, and incident response teams tracking command injection attacks against network infrastructure.
Technical summary
The Edimax BR-6675nD router firmware 1.12 contains a command injection vulnerability in the formWpsStart function of the /goform/formWpsStart endpoint. The pinCode parameter accepts unsanitized input that is passed to a command shell, enabling remote authenticated attackers to execute arbitrary commands with the privileges of the web server process. The vulnerability is remotely exploitable with low privileges required and no user interaction needed. Public exploit availability increases immediate risk despite the LOW CVSS base score.
Defensive priority
medium
Recommended defensive actions
- Restrict network access to the router's administrative interface to trusted hosts only
- Implement network segmentation to isolate affected routers from untrusted networks
- Monitor for suspicious POST requests to /goform/formWpsStart containing unusual pinCode parameter values
- Consider replacing affected Edimax BR-6675nD devices with supported alternatives given vendor non-response
- Review logs for indicators of compromise if exploitation is suspected
Evidence notes
Vulnerability identified in Edimax BR-6675nD firmware 1.12. Specific endpoint: /goform/formWpsStart. Affected parameter: pinCode. Attack vector: remote command injection via crafted POST request.
Official resources
Public disclosure occurred on 2026-05-24 with exploit availability. Vendor non-response to pre-disclosure contact.