CVE-2025-15256
Published: 30 December 2025
Description
A vulnerability was identified in Edimax BR-6208AC 1.02/1.03. Affected is the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component Web-based Configuration Interface. The manipulation of the argument rootAPmac leads to command injection. Remote exploitation of the attack is possible.…
more
The exploit is publicly available and might be used. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires replacement of unsupported and end-of-life system components like the Edimax BR-6208AC router, eliminating exposure to unpatchable command injection vulnerabilities.
Mandates validation of information inputs such as the rootAPmac argument to neutralize special elements and prevent command injection in the formStaDrvSetup function.
Enforces least functionality by restricting or disabling unnecessary web configuration interfaces and endpoints like /goform/formStaDrvSetup on the router.
Security SummaryAI
CVE-2025-15256 is a command injection vulnerability in the Edimax BR-6208AC router firmware versions 1.02 and 1.03. The issue resides in the formStaDrvSetup function within the /goform/formStaDrvSetup endpoint of the web-based configuration interface, where the rootAPmac argument fails to properly sanitize user input, allowing arbitrary command execution. This flaw is classified under CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to the affected endpoint with a malicious rootAPmac value, injecting and executing operating system commands on the device. Successful exploitation grants limited impact, including low-level access to read sensitive data, modify configurations, or disrupt services, without requiring user interaction or privileges.
Edimax has confirmed the vulnerability affects the BR-6208AC V2 model, which has reached end-of-life (EOL) status and is no longer supported, maintained, or available for purchase. No firmware updates or patches will be provided, and users are advised to upgrade to newer models. Advisories emphasize that this issue is limited to unsupported products.
The exploit is publicly available, increasing the risk of active misuse against exposed devices. Security practitioners should prioritize inventory scans for legacy Edimax BR-6208AC routers and recommend immediate decommissioning or network isolation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection via public-facing web interface enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary OS command execution (T1059.004: Unix Shell) on the router.