Cyber Resilience

CVE-2025-70161

CriticalPublic PoCRCE

Published: 09 January 2026

Published
09 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2410 97.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-70161 is a critical-severity Command Injection (CWE-77) vulnerability in Edimax Br-6208Ac Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-70161, published on 2026-01-09, is a command injection vulnerability (CWE-77) affecting the EDIMAX BR-6208AC V2_1.02 router firmware. The issue stems from the pppUserName field being directly passed to a shell command via the system() function in the Web-setWAN handler without proper sanitization, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction by injecting malicious commands into the pppUserName field during WAN configuration attempts. Successful exploitation enables arbitrary code execution on the affected device, potentially granting full control over the router.

Mitigation details are available in the advisory published at https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Command-Injection-Vulnerability-in-Web-setWAN-handler-2d3b5c52018a80d7ae8dce2bf5e3294c?source=copy_link.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

EDIMAX BR-6208AC V2_1.02 is vulnerable to Command Injection. This arises because the pppUserName field is directly passed to a shell command via the system() function without proper sanitization. An attacker can exploit this by injecting malicious commands into the pppUserName…

more

field, allowing arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated remote command injection via public-facing web WAN configuration handler enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15256Same product: Edimax Br-6208Ac
CVE-2025-15257Same product: Edimax Br-6208Ac
CVE-2026-1972Same product: Edimax Br-6208Ac
CVE-2025-22912Same vendor: Edimax
CVE-2024-48419Same vendor: Edimax
CVE-2024-48418Same vendor: Edimax
CVE-2025-22905Same vendor: Edimax
CVE-2025-1316Same vendor: Edimax
CVE-2025-14094Same vendor: Edimax
CVE-2024-57590Shared CWE-77

Affected Assets

edimax
br-6208ac firmware
1.03

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validating information inputs like the pppUserName field at web interfaces to prevent command injection by ensuring proper sanitization before passing to system() calls.

preventrecover

SI-2 mandates identifying, documenting, and remediating flaws such as the unsanitized pppUserName handling in the Web-setWAN handler to eliminate the command injection vulnerability.

detectrespond

RA-5 requires vulnerability scanning that would identify the command injection vulnerability in the router firmware and trigger remediation actions.

References