Login Sign Up

CVE-2025-28145

6.5 MEDIUM
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in Edimax AC1200 routers that allows attackers to execute arbitrary commands on the device. The vulnerability exists in the disk formatting functionality and affects users of the specific router model and firmware version. Attackers can potentially gain full control of the router.

💻 Affected Systems

Products:
  • Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3
Versions: 1.0.15
Operating Systems: Embedded Linux firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects this specific model and firmware version. Requires administrative access to the web interface.

📦 What is this software?

Br 6478ac V3 Firmware by Edimax

View all CVEs affecting Br 6478ac V3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with persistent backdoor installation, credential theft, network traffic interception, and pivot to internal network devices.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential harvesting, and network disruption for connected devices.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted administrative access and network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices with web interfaces accessible from WAN.
🏢 Internal Only: MEDIUM - Attackers would need internal network access first, but once obtained, exploitation is straightforward.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authentication to the router's web interface. Public proof-of-concept code is available in the GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: Yes

Instructions:

1. Check Edimax website for firmware updates 2. Download latest firmware 3. Access router admin panel 4. Navigate to firmware update section 5. Upload and apply new firmware 6. Reboot router

🔧 Temporary Workarounds

Disable remote administration

all

Prevent external access to router web interface

Change default credentials

all

Use strong, unique admin password

🧯 If You Can't Patch

  • Replace router with supported model
  • Isolate router in separate VLAN with strict firewall rules

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin panel. If version is 1.0.15, device is vulnerable.

Check Version:

Login to router web interface and check System Status or Firmware Update page.

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.0.15.

📡 Detection & Monitoring

Log Indicators:

  • Unusual disk format operations
  • Suspicious command execution in system logs
  • Multiple failed login attempts followed by successful login

Network Indicators:

  • Unusual outbound connections from router
  • DNS queries to suspicious domains
  • Unexpected port openings

SIEM Query:

source="router_logs" AND (event="disk_format" OR event="command_execution")

📊 Metadata

CVE ID: CVE-2025-28145
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-77
EPSS Score: 9.17% exploit probability (92.5th percentile)
Published: April 15, 2025
Last Updated: May 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28145, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)