CVE-2023-33722 – EDIMAX BR-6288ACL router firmware version 1.12 ... (How to Fix)

📋 TL;DR

EDIMAX BR-6288ACL router firmware version 1.12 contains an authenticated remote code execution vulnerability in the pppUserName parameter. Attackers with valid credentials can execute arbitrary commands on the device. This affects all users running the vulnerable firmware version.

💻 Affected Systems

Products:

EDIMAX BR-6288ACL

Versions: v1.12

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the web interface. Default credentials may be present on some devices.

📦 What is this software?

Br 6288acl Firmware by Edimax

View all CVEs affecting Br 6288acl Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, intercept network traffic, pivot to internal networks, or brick the device.

🟠

Likely Case

Attackers with stolen or default credentials gain full control of the router to monitor traffic, redirect DNS, or use as a foothold for further attacks.

🟢

If Mitigated

Limited to authenticated users only, with proper credential management reducing attack surface significantly.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing and often have default credentials or weak authentication.

🏢 Internal Only: MEDIUM - Requires authenticated access, but internal attackers or compromised devices could exploit this.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly documented. Requires authentication but exploit is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: Yes

Instructions:

1. Check EDIMAX website for firmware updates
2. Download latest firmware
3. Access router web interface
4. Navigate to firmware update section
5. Upload and apply new firmware
6. Reboot router

🔧 Temporary Workarounds

Change Default Credentials

all

Change all default passwords to strong, unique credentials

Restrict Web Interface Access

all

Limit web interface access to trusted IP addresses only

🧯 If You Can't Patch

Isolate vulnerable routers in separate network segments
Implement strict network monitoring for suspicious router traffic

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under System Status or Firmware Update section

Check Version:

Check via web interface or attempt to access version endpoint if available

Verify Fix Applied:

Verify firmware version is no longer v1.12 after update

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts to router web interface
Multiple failed login attempts followed by successful login

Network Indicators:

Unusual outbound connections from router
DNS or traffic redirection changes

SIEM Query:

source="router_logs" AND (event="authentication" AND result="success") AND user!="admin" OR source="router_logs" AND event="configuration_change"

📊 Metadata

CVE ID: CVE-2023-33722

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: May 31, 2023

Last Updated: January 10, 2025

🔗 References

https://docs.google.com/document/d/1KNuU0nVd4oHMZiKgfs45wK2yA4N6K7q4/edit?usp=sharing&ouid=108638774561085298954&rtpof=true&sd=true Broken Link
https://shimo.im/docs/pmkxQ1GQ4DTowANr Exploit,Third Party Advisory
https://docs.google.com/document/d/1KNuU0nVd4oHMZiKgfs45wK2yA4N6K7q4/edit?usp=sharing&ouid=108638774561085298954&rtpof=true&sd=true Broken Link
https://shimo.im/docs/pmkxQ1GQ4DTowANr Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33722, you might also want to check these: