CVE-2026-10163: Buffer Overflow in Edimax Router
| Field | Value |
|---|---|
| CVE ID | CVE-2026-10163 |
| CVSS score | 8.8 (High) |
| Attack vector | Network |
| Auth required | Low privileges required |
| Patch status | No verified patch/fixed version established from retrieved primary sources |
TL;DR - High-severity buffer overflow in Edimax BR-6478AC V2 firmware 1.23. - Affects
/goform/formUSBAccountviaUserName/Password; public exploit disclosure exists. - No confirmed in-the-wild exploitation or verified fixed version; restrict access and monitor now.
What Happened and Why It Matters
CVE-2026-10163 is a buffer overflow vulnerability in the Edimax BR-6478AC V2 router, specifically in the HTTP POST request handler for /goform/formUSBAccount. According to the NVD description, the vulnerable function is formUSBAccount, and the overflow can be triggered by manipulating the UserName and Password arguments. The confirmed affected firmware version from the CVE/NVD record is 1.23.
For defenders, the practical significance is the combination of network reachability, low attack complexity, and high potential impact. The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which means the issue can be exploited over the network without user interaction, but with low privileges. On an exposed or poorly segmented router management plane, that can translate to device instability, unauthorized configuration changes, or potentially full compromise. The NVD text does not explicitly claim remote code execution, so defenders should avoid overstating impact, but the confidentiality/integrity/availability metrics justify treating this as a serious appliance compromise risk.
A second operational point: this is not just a theoretical parser bug buried deep in a non-default service. The vulnerable path is a web management endpoint, and the named parameters are ordinary form fields. That typically makes exploitation easier to reproduce once an attacker has access to the administration interface or any reachable management surface that processes those parameters.
Exploitation Status: What Is Known
The exploitation picture is mixed but actionable. The NVD record states that “The exploit has been disclosed to the public and may be used.” That is sufficient to say that public exploit disclosure exists. This is stronger than “researchers discussed the issue” and should move the vulnerability into active review and containment queues for organizations still operating the device.
At the same time, in-the-wild exploitation is not confirmed from the retrieved evidence. The CVE is not listed in CISA KEV based on the provided research note, and no other primary-source evidence in the supplied material confirms live attacker use. So the most accurate operational summary is:
- PoC/public exploit: Yes, public exploit disclosure is indicated
- Exploitation in the wild: Not confirmed
- CISA KEV: No
That combination matters because public exploit disclosure often shortens time-to-abuse even when broad criminal adoption has not yet been documented. For small offices or home-office deployments using this router, internet-exposed management interfaces should be treated as high risk even without KEV status.
Affected Products and Versions
The confirmed affected product is Edimax BR-6478AC V2, with firmware version 1.23. That is the version explicitly supported by the available primary-source material in the CVE/NVD record and corroborating product identification. The vendor/product naming was cross-checked against the Edimax product page for BR-6478AC V2.
It is important to be precise here: based on the retrieved sources, there is no verifiable broader affected range such as “all versions before 1.24” or “<= 1.23.” Likewise, there is no verified fixed version number available from the sources provided. In other words:
| Product | Confirmed affected version(s) | Fixed version |
|---|---|---|
| Edimax BR-6478AC V2 | 1.23 | Unknown / not established from retrieved primary sources |
If you run this hardware and cannot immediately confirm firmware inventory, assume devices on 1.23 are vulnerable and treat adjacent versions cautiously until a vendor advisory or release note proves otherwise. In the absence of vendor remediation data, defenders should avoid assuming that newer-looking firmware is fixed, or that older firmware is definitely affected, without direct evidence.
How Attackers Would Likely Use This
The vulnerable component is the POST request handler at /goform/formUSBAccount. The NVD description specifically names the UserName and Password arguments as the inputs whose manipulation leads to a buffer overflow. In practical terms, an attacker with access to the relevant management function could submit oversized or malformed values to force memory corruption in the router’s web administration process.
What happens next depends on implementation details that are not available in the retrieved primary sources. The likely lower-bound impact is a crash or service disruption affecting the management interface or device stability. The upper-bound impact, reflected in the CVSS confidentiality, integrity, and availability ratings, is full compromise of the appliance. Because the public description does not explicitly claim code execution, defenders should frame the risk as buffer overflow with possible severe device compromise, rather than asserting RCE as confirmed fact.
A common defensive mistake with router CVEs is to focus only on internet exposure. That is necessary, but not sufficient. Even if WAN administration is disabled, a low-privileged actor on the internal network, a compromised endpoint, or a malicious insider may still be able to reach the management interface. The CVSS vector’s PR:L means some level of privileges are required, so defenders should review not only exposure but also who can authenticate to administrative functions and whether default or shared credentials remain in use.
What Defenders Should Do Next
First, inventory whether any Edimax BR-6478AC V2 devices are still deployed, and verify whether any are on firmware 1.23. If asset inventory is weak, identify them via DHCP leases, MAC OUIs, Nmap service banners, or edge network scans. This should be a same-day task for organizations that still depend on SMB-class routers in branch or home-office scenarios.
Second, review management exposure. If the web interface is reachable from untrusted segments or the internet, lock it down immediately. Then pull whatever telemetry you can around /goform/formUSBAccount, looking for POST activity, request bursts, unusually long parameters, and any correlated crash or reboot events. Because public exploit disclosure exists, it is reasonable to assume scanning and opportunistic probing may follow even without confirmed mass exploitation.
Third, monitor vendor channels for an actual firmware advisory or fixed release. Until one exists, your incident notes should explicitly record: confirmed affected version is 1.23; fixed version unknown; public exploit disclosure exists; in-the-wild exploitation not confirmed. That level of precision helps avoid both underreaction and unsupported claims.
For further reading on related topics, check our articles on network segmentation and PCI scope reduction and GitOps security checklist.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Detection and Triage Guidance
The best immediate detection approach is to inspect web management logs, reverse proxy logs if present, network telemetry, and crash/reboot indicators for access to /goform/formUSBAccount, especially POST requests containing unusually long UserName or Password fields. Many SMB routers have limited logging, so defenders may need to rely on upstream firewall, IDS, or packet capture data rather than the device itself.
Prioritize triage for any device that shows a sequence of failed or repeated POST requests to the same endpoint followed by router instability, web UI restarts, sudden unreachability, or unexplained configuration changes. Because the flaw is in form processing, high-frequency probing may stand out before successful exploitation does. If your environment lacks full HTTP logging for edge devices, that gap itself is a finding worth addressing.
Technical Notes
Example HTTP indicators to hunt for in web or reverse proxy logs:
POST /goform/formUSBAccount HTTP/1.1
Content-Type: application/x-www-form-urlencoded
UserName=<very long value>&Password=<very long value>
Example grep patterns for exported logs:
grep -R "POST /goform/formUSBAccount" /var/log 2>/dev/null
grep -R "formUSBAccount" /var/log 2>/dev/null
Example Splunk query for proxy or HTTP telemetry:
index=proxy OR index=firewall
(method=POST AND uri_path="/goform/formUSBAccount")
| eval body_len=len(coalesce(http_request_body, request_body, form_data))
| stats count min(body_len) max(body_len) values(src_ip) values(user) by dest_ip uri_path status
| sort - max(body_len)
Example Suricata-style signature concept to flag suspicious access to the endpoint with oversized form data:
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"Possible Edimax BR-6478AC V2 formUSBAccount overflow attempt";
flow:to_server,established;
http.method; content:"POST";
http.uri; content:"/goform/formUSBAccount";
pcre:"/UserName=.{128,}|Password=.{128,}/";
sid:1016301; rev:1;
)
Thresholds such as 128 bytes are heuristic, not vendor-specified. If you do not know the legitimate maximum field length, treat large outliers as suspicious and validate against normal admin usage.
Mitigation and Patching
At the time of writing, no verified patch or fixed firmware version has been established from the retrieved primary sources. That means defenders cannot responsibly state “upgrade to version X” because the fixed version number is unknown. In the absence of a confirmed vendor advisory, the safest assumption is that any BR-6478AC V2 running the confirmed affected firmware 1.23 is vulnerable and should be shielded from exposure immediately.
The most effective short-term mitigation is to reduce or eliminate access to the management interface. Disable WAN-side administration if enabled, restrict the router UI to a trusted management VLAN or a dedicated admin host, and place ACLs or firewall rules in front of the device where possible. Also rotate admin credentials, remove shared accounts, and audit whether low-privileged users can reach or authenticate to the vulnerable function. Since the CVSS vector indicates low privileges required, identity and access hygiene matters here.
Where router replacement is feasible, that may be the more defensible path if no vendor fix emerges. Consumer and SMB network gear often has limited observability and inconsistent patch support. If this model is business-critical and internet-adjacent, compensating controls should be treated as temporary, not final remediation.
Technical Notes
Because no fixed firmware version is verifiable from the supplied sources, use upgrade commands only after obtaining firmware directly from Edimax support or an authenticated vendor channel. A generic workflow for administrators managing the device from Linux might look like this:
# 1) Download firmware only after verifying it is the correct model/revision
wget https://vendor.example/BR-6478AC_V2_FW.bin -O BR-6478AC_V2_FW.bin
# 2) Verify checksum if the vendor provides one
sha256sum BR-6478AC_V2_FW.bin
If your environment manages router access through upstream firewall policy, apply a concrete workaround such as restricting HTTP/HTTPS administration to a single admin IP:
# Example iptables concept on an upstream Linux gateway
iptables -A FORWARD -p tcp -s <ADMIN_IP>/32 -d <ROUTER_IP> --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s <ADMIN_IP>/32 -d <ROUTER_IP> --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d <ROUTER_IP> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <ROUTER_IP> --dport 443 -j DROP
If WAN administration is enabled on the device, disable it in the administrative UI immediately. If your only access method is CLI on an upstream appliance, block internet-origin traffic to the router management IP and ports. Exact device-local commands are not available from the retrieved sources, so defenders should document the compensating control they actually applied rather than claiming a patch was installed.