EDIMAX BR-6208AC V2_1.02 Command Injection Vulnerability in Web "setWAN" handler Vulnerability Title Command Injection in Function in BR-6208AC_V2_1.03 Firmware Discoverer tzho0203 Contact Information tian-zh24@mails.tsinghua.edu.cn Affected Version BR-6208AC_V2_1.03 firmware Component Web-based WAN Configuration ( ) 1. Vulnerability Overview The function in BR-6208AC_V2_1.03 firmware has a command injection vulnerability. This arises because the field is directly passed to a shell command via the function without proper sanitization. An attacker can exploit this by injecting malicious commands into the field, allowing arbitrary code execution. This vulnerability can be triggered by sending a specially crafted POST request to the device, leading to potential remote code execution, privilege escalation, and device compromise. 2. Detailed Description The vulnerability occurs in the function, which is responsible for configuring the WAN settings in the BR-6208AC_V2_1.03 firmware. When the device is configured to use PPPoE, the input is directly used to construct a shell command via the function: The field is passed directly to the function without proper sanitization, allowing an attacker to inject shell metacharacters (e.g., semicolons, pipes, etc.) into the field, which are executed as part of the shell command.