A security flaw has been discovered in Edimax BR-6208AC 1.02. The impacted element is the function setWAN of the file /goform/setWAN of the component L2TP Mode. The manipulation of the argument L2TPUserName results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
PUBLISHED5.2Operating systemCWE-77CWE-74
Edimax BR-6208AC L2TP Mode setWAN command injection
Problem type
Affected products
Edimax
BR-6208AC
1.02 - AFFECTED
References
VDB-360841 | Edimax BR-6208AC L2TP Mode setWAN command injection
https://vuldb.com/vuln/360841
VDB-360841 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/360841/cti
Submit #801572 | Edimax BR-6208AC V2_1.02 Command Injection
https://vuldb.com/submit/801572
tzh00203.notion.site
https://tzh00203.notion.site/Edimax-BR-6208AC-V2-1-02-setWAN-L2TPUserName-Command-Injection-33db5c52018a80c1b3aac6db8927bd0f
GitHub Security Advisories
GHSA-xpcr-x724-6923
A security flaw has been discovered in Edimax BR-6208AC 1.02. The impacted element is the...
https://github.com/advisories/GHSA-xpcr-x724-6923A security flaw has been discovered in Edimax BR-6208AC 1.02. The impacted element is the function setWAN of the file /goform/setWAN of the component L2TP Mode. The manipulation of the argument L2TPUserName results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-7682
tzh00203.notion.site
https://tzh00203.notion.site/Edimax-BR-6208AC-V2-1-02-setWAN-L2TPUserName-Command-Injection-33db5c52018a80c1b3aac6db8927bd0f
vuldb.com
https://vuldb.com/submit/801572
vuldb.com
https://vuldb.com/vuln/360841
vuldb.com
https://vuldb.com/vuln/360841/cti
github.com
https://github.com/advisories/GHSA-xpcr-x724-6923
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-7682Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-7682",
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"dateUpdated": "2026-05-03T06:15:09.912Z",
"dateReserved": "2026-05-02T11:05:13.164Z",
"datePublished": "2026-05-03T06:15:09.912Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB",
"dateUpdated": "2026-05-03T06:15:09.912Z"
},
"title": "Edimax BR-6208AC L2TP Mode setWAN command injection",
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Edimax BR-6208AC 1.02. The impacted element is the function setWAN of the file /goform/setWAN of the component L2TP Mode. The manipulation of the argument L2TPUserName results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"affected": [
{
"vendor": "Edimax",
"product": "BR-6208AC",
"cpes": [
"cpe:2.3:o:edimax:br-6208ac_firmware:*:*:*:*:*:*:*:*"
],
"modules": [
"L2TP Mode"
],
"versions": [
{
"version": "1.02",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Command Injection",
"cweId": "CWE-77",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "Injection",
"cweId": "CWE-74",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/vuln/360841",
"name": "VDB-360841 | Edimax BR-6208AC L2TP Mode setWAN command injection",
"tags": [
"vdb-entry",
"technical-description"
]
},
{
"url": "https://vuldb.com/vuln/360841/cti",
"name": "VDB-360841 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
]
},
{
"url": "https://vuldb.com/submit/801572",
"name": "Submit #801572 | Edimax BR-6208AC V2_1.02 Command Injection",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://tzh00203.notion.site/Edimax-BR-6208AC-V2-1-02-setWAN-L2TPUserName-Command-Injection-33db5c52018a80c1b3aac6db8927bd0f",
"tags": [
"exploit"
]
}
],
"metrics": [
{},
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"baseScore": 6.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"baseScore": 6.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"baseScore": 6.5
}
}
],
"timeline": [
{
"time": "2026-05-02T00:00:00.000Z",
"lang": "en",
"value": "Advisory disclosed"
},
{
"time": "2026-05-02T02:00:00.000Z",
"lang": "en",
"value": "VulDB entry created"
},
{
"time": "2026-05-02T13:10:19.000Z",
"lang": "en",
"value": "VulDB entry last update"
}
],
"credits": [
{
"lang": "en",
"value": "tian (VulDB User)",
"type": "reporter"
},
{
"lang": "en",
"value": "VulDB CNA Team",
"type": "coordinator"
}
]
}
}
}