CVE-2026-9401 Edimax CVE debrief

Who should care

Network administrators managing Edimax BR-6675nD deployments; SOHO users with this router model; security teams responsible for edge network device protection; incident responders tracking IoT/router exploitation campaigns

Technical summary

The Edimax BR-6675nD firmware 1.12 contains a buffer overflow in the WAN TCP/IP setup form handler. The pppUserName parameter in POST requests to /goform/formWanTcpipSetup lacks proper bounds checking, allowing remote attackers to overflow stack or heap buffers. The vulnerability requires low privileges and no user interaction, making it suitable for automated exploitation. The attack surface is the router's web management interface, typically exposed on LAN interfaces and potentially WAN if remote management is enabled.

Defensive priority

HIGH

Recommended defensive actions

• Immediately restrict network access to the router's administrative interface, especially the /goform/formWanTcpipSetup endpoint
• Apply network segmentation to isolate affected Edimax BR-6675nD devices from untrusted networks
• Monitor for anomalous POST requests to /goform/formWanTcpipSetup containing oversized pppUserName values
• Consider replacing or upgrading the device if firmware patches become unavailable due to vendor non-response
• Implement intrusion detection signatures for buffer overflow attempts against router management interfaces

Evidence notes

Vulnerability confirmed through VulDB submission and analysis. CWE-119 and CWE-120 (buffer overflow weaknesses) identified. CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and no user interaction needed. Impact includes high confidentiality, integrity, and availability impact. Exploit existence marked as 'P' (proof of concept) in CVSS vector.

Official resources