CVE-2025-14093 identifies a remote OS command injection vulnerability in the Edimax BR-6478AC V3 router firmware version 1.0.15. The vulnerability resides in the function sub_416990 within the /boafrm/formTracerouteDiagnosticRun endpoint. Specifically, the 'host' parameter is improperly sanitized, allowing an attacker to inject arbitrary operating system commands. This flaw can be exploited remotely without requiring authentication or user interaction, making it accessible to unauthenticated attackers over the network. The CVSS 4.0 score of 5.1 reflects a medium severity, considering the ease of exploitation but limited impact on confidentiality, integrity, and availability. The vulnerability could allow attackers to execute commands with elevated privileges, potentially leading to device compromise, unauthorized network access, or lateral movement within an organization's infrastructure. Despite early vendor notification, Edimax has not issued a patch or response, and no official remediation is currently available. The exploit code has been publicly disclosed, increasing the risk of opportunistic attacks. The affected device is a widely used consumer and small office router, often deployed in home and enterprise edge networks. The lack of vendor response and patch availability necessitates immediate defensive measures by users and administrators to mitigate risk.

The vulnerability enables remote attackers to execute arbitrary OS commands on affected Edimax BR-6478AC V3 routers, potentially leading to full device compromise. This can result in unauthorized control over network traffic, interception or manipulation of data, and use of the device as a pivot point for further attacks within internal networks. Although the CVSS score is medium, the absence of authentication and user interaction requirements increases exploitation likelihood. Organizations relying on these routers for perimeter security or network segmentation may face increased risk of network breaches, data exfiltration, or service disruption. The public availability of exploit code further elevates the threat, especially in environments where patching or device replacement is delayed. The impact extends to both confidentiality and integrity of network communications, with availability impact considered low but possible if attackers disrupt device functionality. The vendor's lack of response and absence of patches exacerbate the risk, leaving affected devices exposed to persistent threats.

Until an official patch is released, organizations should implement the following specific mitigations: 1) Disable remote management interfaces on the Edimax BR-6478AC V3 routers to prevent external exploitation. 2) Restrict network access to the router's management interface using firewall rules or network segmentation, allowing only trusted internal IP addresses. 3) Monitor network traffic and router logs for unusual command execution patterns or unexpected outbound connections indicative of compromise. 4) Replace or upgrade affected devices to models with vendor-supported firmware and active security updates where feasible. 5) Employ network intrusion detection systems (NIDS) with signatures targeting known exploit patterns for this vulnerability. 6) Educate network administrators about the vulnerability and ensure rapid incident response capabilities. 7) If possible, disable or limit the traceroute diagnostic functionality exposed at /boafrm/formTracerouteDiagnosticRun to reduce attack surface. 8) Maintain up-to-date asset inventories to identify all impacted devices for prioritized mitigation. These measures go beyond generic advice by focusing on access control, monitoring, and device replacement strategies tailored to this specific vulnerability and device.