PT-2025-14891 · Edimax · Edimax Ac1200 Wave 2 Dual-Band Gigabit Router Br-6478Ac V3

Regainer27

Published

2025-04-04

Updated

2025-04-08

CVE-2025-28146

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 version 1.0.15

Description A command injection issue was discovered via the fota url in the "/boafrm/formLtefotaUpgradeQuectel" API endpoint. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world incidents.

Recommendations For Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 version 1.0.15, consider restricting access to the /boafrm/formLtefotaUpgradeQuectel API endpoint to minimize the risk of exploitation. Avoid using the fota url parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Code Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-78

Related Identifiers

BDU:2025-05009

CVE-2025-28146

Affected Products

Edimax Ac1200 Wave 2 Dual-Band Gigabit Router Br-6478Ac V3

CVE-2025-28146

Weakness Enumeration

Related Identifiers

Affected Products

References · 8