CVE-2025-15256 is a command injection vulnerability identified in the Edimax BR-6208AC router firmware versions 1.02 and 1.03. The vulnerability resides in the web-based configuration interface component, specifically within the formStaDrvSetup function located at /goform/formStaDrvSetup. The root cause is improper sanitization of the rootAPmac argument, which an attacker can manipulate to inject arbitrary shell commands. This flaw allows remote attackers to execute commands on the underlying operating system without any authentication or user interaction, making it a remotely exploitable, unauthenticated command injection vulnerability. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, no privileges required, and no user interaction needed. The vulnerability affects only devices that are no longer supported by Edimax, as the BR-6208AC V2 model has reached End of Life status, with no forthcoming firmware patches. Public exploit code is available, increasing the likelihood of exploitation despite no confirmed active exploitation in the wild. Successful exploitation could lead to full system compromise, enabling attackers to manipulate device configurations, intercept or redirect network traffic, or use the device as a foothold for further attacks within a network. The lack of vendor support means that affected devices remain vulnerable unless replaced or mitigated by other means.

For European organizations, this vulnerability poses a significant risk, especially for those still operating Edimax BR-6208AC routers in their network infrastructure. Exploitation could lead to unauthorized command execution, resulting in loss of confidentiality through data interception or exfiltration, integrity violations by altering device configurations or network traffic, and availability disruptions by causing device malfunctions or denial of service. Given the device’s role as a network gateway, compromise could facilitate lateral movement within corporate or critical infrastructure networks, potentially impacting sensitive systems. The absence of vendor patches increases the risk exposure, forcing organizations to rely on compensating controls or device replacement. This is particularly critical for sectors such as telecommunications, government, finance, and energy, where network device security is paramount. Additionally, the availability of public exploits lowers the barrier for attackers, including cybercriminals and state-sponsored actors, to target vulnerable devices. Organizations that have not inventoried or updated their network hardware may be unaware of their exposure, increasing the risk of undetected compromise.

Given the End of Life status of the Edimax BR-6208AC and the absence of vendor patches, the primary mitigation is to replace all affected devices with newer, supported models that receive regular security updates. Until replacement is feasible, organizations should implement strict network segmentation to isolate vulnerable devices from critical network segments and sensitive data. Deploying firewall rules to restrict access to the device’s web-based management interface only to trusted administrative hosts can reduce exposure. Monitoring network traffic for unusual patterns or command injection indicators targeting the /goform/formStaDrvSetup endpoint is recommended. Employing intrusion detection/prevention systems (IDS/IPS) with signatures for known exploits can help detect or block exploitation attempts. Regularly auditing and inventorying network devices to identify any remaining vulnerable Edimax BR-6208AC units is critical. Additionally, disabling remote management interfaces if not required and enforcing strong administrative credentials can reduce attack surface. Finally, educating network administrators about this vulnerability and the risks of using unsupported hardware will support timely remediation.