CVE-2025-70161 – EDIMAX BR-6208AC V2 router firmware version 1.0... (How to Fix)

📋 TL;DR

EDIMAX BR-6208AC V2 router firmware version 1.02 contains a command injection vulnerability in the pppUserName field that allows attackers to execute arbitrary commands on the device. This affects all users of this specific router model and firmware version. Successful exploitation gives attackers full control over the router.

💻 Affected Systems

Products:

EDIMAX BR-6208AC V2

Versions: 1.02

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in web interface's setWAN handler. All devices running this firmware version are vulnerable.

📦 What is this software?

Br 6208ac Firmware by Edimax

View all CVEs affecting Br 6208ac Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router allowing attacker to pivot to internal network, intercept/modify traffic, install persistent backdoors, or use router as botnet node.

🟠

Likely Case

Router takeover leading to network traffic interception, DNS hijacking, credential theft, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact if router is behind firewall with strict inbound rules and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to web interface. The vulnerability is well-documented with proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check EDIMAX website for firmware updates
2. Download latest firmware for BR-6208AC V2
3. Access router web interface
4. Navigate to firmware update section
5. Upload and apply new firmware
6. Reboot router

🔧 Temporary Workarounds

Disable WAN Web Interface Access

linux

Prevent external access to vulnerable web interface

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Change Default Credentials

all

Use strong unique credentials to limit attack surface

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Implement network monitoring for suspicious router traffic

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Status or Administration section

Check Version:

curl -s http://router-ip/status.cgi | grep firmware

Verify Fix Applied:

Verify firmware version is updated beyond 1.02 and test pppUserName field with safe test payloads

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed login attempts to web interface
PPP configuration changes from unexpected sources

Network Indicators:

Outbound connections from router to suspicious IPs
DNS queries to malicious domains from router
Unexpected port scans originating from router

SIEM Query:

source="router.log" AND ("system()" OR "pppUserName" OR "setWAN")

📊 Metadata

CVE ID: CVE-2025-70161

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.47% exploit probability (63.9th percentile)

Published: January 9, 2026

Last Updated: January 22, 2026

🔗 References

https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Command-Injection-Vulnerability-in-Web-setWAN-handler-2d3b5c52018a80d7ae8dce2bf5e3294c?source=copy_link Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-70161, you might also want to check these: