CVE-2025-28146
📋 TL;DR
This CVE describes a critical command injection vulnerability in Edimax AC1200 routers that allows attackers to execute arbitrary commands on the device. Attackers can exploit this by sending specially crafted requests to the fota_url parameter in the firmware upgrade endpoint. Anyone using the affected router model with vulnerable firmware is at risk.
💻 Affected Systems
- Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise leading to persistent backdoor installation, network traffic interception, credential theft, and lateral movement to other devices on the network.
Likely Case
Router takeover allowing DNS hijacking, traffic redirection, credential harvesting, and use as a pivot point for further attacks.
If Mitigated
Limited impact if the router is behind a firewall with strict inbound rules and network segmentation prevents lateral movement.
🎯 Exploit Status
The GitHub repository contains exploit code and technical details. The vulnerability requires no authentication and has simple exploitation steps.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None found
Restart Required: Yes
Instructions:
1. Check Edimax website for firmware updates. 2. Download latest firmware for BR-6478AC V3. 3. Log into router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.
🔧 Temporary Workarounds
Disable remote management
allPrevent external access to router administration interface
Network segmentation
allIsolate router management interface to separate VLAN
🧯 If You Can't Patch
- Replace affected router with a different model that receives security updates
- Place router behind a firewall with strict inbound rules blocking access to port 80/443
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin interface. If version is 1.0.15 on BR-6478AC V3, device is vulnerable.Check Version:
Log into router web interface and check System Status or Firmware Version pageVerify Fix Applied:
After firmware update, verify version number has changed from 1.0.15. Test the vulnerable endpoint with safe payloads to confirm command injection is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /boafrm/formLtefotaUpgradeQuectel
- Suspicious commands in router logs
- Multiple failed firmware upgrade attempts
Network Indicators:
- Unusual outbound connections from router
- DNS queries to suspicious domains
- Traffic redirection patterns
SIEM Query:
source="router_logs" AND (uri="/boafrm/formLtefotaUpgradeQuectel" OR command="*;*" OR command="*|*" OR command="*`*")