Edimax BR-6208AC 1.02 FTP Daemon Service handle_retr path traversal

Summaryinfo

A vulnerability was found in Edimax BR-6208AC 1.02. It has been rated as critical. Affected is the function handle_retr of the component FTP Daemon Service. This manipulation causes path traversal. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is registered as CVE-2025-14910. Remote exploitation of the attack is possible. Furthermore, an exploit is available. It is preferable to disable the affected component. Edimax confirms this issue: "This product is no longer available in the market and has been discontinued for five years. Consequently, Edimax no longer provides technical support, firmware updates, or security patches for this specific model. However, to ensure the safety of our remaining active users, we acknowledge this report and will take the following mitigation actions: (A) We will issue an official security advisory on our support website. (B) We will strongly advise users to disable the FTP service on this device to mitigate the reported risk, by which the product will still work for common use. (C) We will recommend users upgrade to newer, supported models."

Detailsinfo

A vulnerability was found in Edimax BR-6208AC 1.02. It has been declared as critical. Affected by this vulnerability is the function handle_retr of the component FTP Daemon Service. The manipulation with an unknown input leads to a path traversal vulnerability. The CWE definition for the vulnerability is CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect confidentiality.

It is possible to read the advisory at tzh00203.notion.site. This vulnerability is known as CVE-2025-14910. The exploitation appears to be easy. The attack can be launched remotely. Technical details and also a public exploit are known. The attack technique deployed by this issue is T1006 according to MITRE ATT&CK.

It is possible to download the exploit at tzh00203.notion.site. It is declared as proof-of-concept. Edimax confirms this issue: "This product is no longer available in the market and has been discontinued for five years. Consequently, Edimax no longer provides technical support, firmware updates, or security patches for this specific model. However, to ensure the safety of our remaining active users, we acknowledge this report and will take the following mitigation actions: (A) We will issue an official security advisory on our support website. (B) We will strongly advise users to disable the FTP service on this device to mitigate the reported risk, by which the product will still work for common use. (C) We will recommend users upgrade to newer, supported models."

The best possible mitigation is suggested to be disabling the affected component.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-204431). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• Edimax

Name

• BR-6208AC

Version

• 1.02

Support

• end of life

CPE 2.3info

• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Submitinfo

Accepted

• Submit #713704: Edimax BR-6208AC V2_1.02 Absolute Path Traversal (by tian)

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion