Cyber Posture

CVE-2025-70161

CriticalPublic PoCRCE

Published: 09 January 2026

Published
09 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0064 70.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70161 is a critical-severity Command Injection (CWE-77) vulnerability in Edimax Br-6208Ac Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires validating information inputs like the pppUserName field at web interfaces to prevent command injection by ensuring proper sanitization before passing to system() calls.

SI-2 Flaw Remediation good match
preventrecover

SI-2 mandates identifying, documenting, and remediating flaws such as the unsanitized pppUserName handling in the Web-setWAN handler to eliminate the command injection vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match
detectrespond

RA-5 requires vulnerability scanning that would identify the command injection vulnerability in the router firmware and trigger remediation actions.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Unauthenticated remote command injection via public-facing web WAN configuration handler enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

EDIMAX BR-6208AC V2_1.02 is vulnerable to Command Injection. This arises because the pppUserName field is directly passed to a shell command via the system() function without proper sanitization. An attacker can exploit this by injecting malicious commands into the pppUserName…

more

field, allowing arbitrary code execution.

Deeper analysisAI

CVE-2025-70161, published on 2026-01-09, is a command injection vulnerability (CWE-77) affecting the EDIMAX BR-6208AC V2_1.02 router firmware. The issue stems from the pppUserName field being directly passed to a shell command via the system() function in the Web-setWAN handler without proper sanitization, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction by injecting malicious commands into the pppUserName field during WAN configuration attempts. Successful exploitation enables arbitrary code execution on the affected device, potentially granting full control over the router.

Mitigation details are available in the advisory published at https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Command-Injection-Vulnerability-in-Web-setWAN-handler-2d3b5c52018a80d7ae8dce2bf5e3294c?source=copy_link.

Details

CWE(s)
CWE-77

Affected Products

edimax
br-6208ac firmware
1.03

CVEs Like This One

CVE-2025-15256Same product: Edimax Br-6208Ac
CVE-2026-1972Same product: Edimax Br-6208Ac
CVE-2025-15257Same product: Edimax Br-6208Ac
CVE-2025-22912Same vendor: Edimax
CVE-2024-48419Same vendor: Edimax
CVE-2025-1316Same vendor: Edimax
CVE-2025-22905Same vendor: Edimax
CVE-2024-48418Same vendor: Edimax
CVE-2025-14094Same vendor: Edimax
CVE-2025-22916Same vendor: Edimax

References