CVE-2025-28143 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-28143?

CVE-2025-28143 has a CVSS score of 6.5 (MEDIUM). This CVE describes a command injection vulnerability in Edimax AC1200 routers that allows authenticated attackers to execute arbitrary commands on the device. The vulnerability exists in the groupname parameter of the disk creation group form. Users of affected router models with the vulnerable firmware are at risk.

📋 TL;DR

This CVE describes a command injection vulnerability in Edimax AC1200 routers that allows authenticated attackers to execute arbitrary commands on the device. The vulnerability exists in the groupname parameter of the disk creation group form. Users of affected router models with the vulnerable firmware are at risk.

💻 Affected Systems

Products:

Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3

Versions: 1.0.15

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authentication to access the vulnerable endpoint, but default credentials may be used.

📦 What is this software?

Br 6478ac V3 Firmware by Edimax

View all CVEs affecting Br 6478ac V3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full router compromise allowing attacker to install persistent backdoors, intercept all network traffic, pivot to internal networks, or brick the device.

🟠

Likely Case

Router takeover enabling traffic monitoring, DNS hijacking, credential theft, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to router admin interface.

🌐 Internet-Facing: HIGH - Router admin interfaces are often exposed to the internet, and authenticated access is typically required but may be weak/default.

🏢 Internal Only: MEDIUM - Internal attackers with network access could exploit if they obtain or bypass authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Public proof-of-concept exists in GitHub repository. Exploitation requires authentication but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: Yes

Instructions:

1. Check Edimax website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Disk Sharing Feature

all

Disable the disk sharing functionality that contains the vulnerable endpoint

Restrict Admin Interface Access

all

Limit access to router admin interface to trusted IP addresses only

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Change default admin credentials and implement strong authentication

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface. If version is 1.0.15, device is vulnerable.

Check Version:

Login to router admin interface and check System Status or Firmware Update section

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.0.15

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /boafrm/formDiskCreateGroup
Suspicious command execution in system logs
Multiple failed login attempts followed by successful access

Network Indicators:

Unusual outbound connections from router
DNS queries to suspicious domains
Unexpected port scans originating from router

SIEM Query:

source="router_logs" AND (uri="/boafrm/formDiskCreateGroup" OR command="*;*" OR command="*|*")

📊 Metadata

CVE ID: CVE-2025-28143

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-77

EPSS Score: 9.17% exploit probability (92.5th percentile)

Published: April 15, 2025

Last Updated: May 1, 2025

🔗 References

https://gist.github.com/regainer27/885505cda80f81069ba39b11f2f996fc Exploit,Third Party Advisory
https://github.com/regainer27/edimax-br-6478ac_v3-br-6478ac_v3_1.0.15/tree/main/5 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28143, you might also want to check these: