CVE-2026-9402

Name of the Vulnerable Software and Affected Versions Edimax BR-6675nD version 1.12

Description Command injection is possible via the POST Request Handler component. The issue exists in the formWlanMP() function within the '/goform/formWlanMP' endpoint. A remote attacker can trigger this by manipulating several arguments, including ateFunc, ateGain, ateRate, ateChan, ateTxCount, e2pTx2Power1, e2pTx2Power2, e2pTx2Power3, e2pTx2Power4, e2pTx2Power5, e2pTx2Power6, e2pTx2Power7, e2pTxPower1, e2pTxPower2, e2pTxPower3, e2pTxPower4, e2pTxPower5, e2pTxPower6, e2pTxPower7, ateTxFreqOffset, ateMode, ateMacID, ateBW, ateAntenna, e2pTxFreqOffset, e2pTxPwDeltaB, e2pTxPwDeltaG, e2pTxPwDeltaMix, readE2P, and e2pTxPwDeltaN.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the '/goform/formWlanMP' endpoint to minimize the risk of exploitation.