CVE-2026-10060: TRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
TRENDnet's TEW-432BRP wireless router (firmware version 3.10B20) contains a command injection vulnerability in its route configuration interface. An authenticated attacker can manipulate IP, mask, or gateway parameters to inject arbitrary commands on the device. The vulnerability requires valid credentials but poses a direct threat to affected networks. Critically, this product reached end-of-life in 2009—over 15 years ago—and the vendor has stated it cannot replicate or fix vulnerabilities in legacy hardware.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-77
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetRoute of the file /goform/formSetRoute. The manipulation of the argument ip/mask/gateway leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the /goform/formSetRoute handler, which processes route configuration requests. The function fails to properly validate or sanitize the ip, mask, and gateway input parameters before using them in system commands. This allows command injection (CWE-74, CWE-77) via specially crafted requests. Exploitation requires authenticated network access to the router's management interface. The attack surface is the HTTP-based configuration interface accessible to users with valid credentials.
Business impact
Organizations still operating TEW-432BRP routers face a significant operational risk. An attacker with administrative or user-level access to the router could gain command execution, potentially compromising network segmentation, intercepting traffic, or using the device as a pivot point. For networks relying on these legacy devices, the inability to obtain vendor patches means risk mitigation depends entirely on network access controls and credential management. Continued use increases long-term security exposure without remediation options.
Affected systems
Only the TRENDnet TEW-432BRP router running firmware version 3.10B20 and related builds is affected. This is a legacy consumer/small-business wireless router. The TEW-432BRP is no longer manufactured or supported. Any organization still operating this hardware in production is exposed, though the device's age suggests limited modern deployment.
Exploitability
The vulnerability requires authenticated access—an attacker must possess valid router credentials. Exploit code has been disclosed publicly, reducing the barrier to weaponization. However, the authentication requirement prevents unauthenticated remote exploitation. Risk is highest in environments with weak credential hygiene, default passwords, or exposed management interfaces. The CVSS 3.1 score of 6.3 (MEDIUM) reflects this authentication prerequisite balanced against the ability to execute commands post-authentication.
Remediation
The vendor has explicitly stated no patches will be released due to the product's end-of-life status. Organizations have two paths: (1) Immediately decommission TEW-432BRP devices and replace them with current hardware receiving active vendor support, or (2) If replacement is not immediately feasible, isolate the router on a restricted network segment, disable remote management access, enforce strong unique credentials, and monitor for unauthorized configuration changes. Replacement is the only permanent solution.
Patch guidance
No patch is available from the vendor. The TEW-432BRP reached end-of-life in 2009 and vendor support has formally ended. Do not delay remediation expecting a security update. Organizations must develop a decommissioning plan and transition to supported hardware. Verify your current router model and firmware version against the affected product list; if you are running this model, prioritize replacement in your asset lifecycle plan.
Detection guidance
Monitor for suspicious HTTP POST requests to /goform/formSetRoute with unusual or malformed parameters in the ip, mask, or gateway fields. Network-based intrusion detection should flag requests containing command injection payloads (backticks, $(), semicolons, or pipe operators) in these parameters. Check router access logs for successful logins followed by configuration changes. Passive scanning can identify deployed TEW-432BRP devices via banner grabbing on port 80; use this to locate affected assets for retirement planning.
Why prioritize this
Although rated MEDIUM severity due to the authentication requirement, this vulnerability should be prioritized for asset retirement, not patching. The key drivers are: (1) Lack of any remediation path from the vendor, (2) Publicly disclosed exploit code, (3) The device's extreme age and lack of modern security controls, and (4) The risk of credential compromise enabling persistent command execution. Any TEW-432BRP still in operation represents technical debt and should be replaced urgently.
Risk score, explained
The CVSS 3.1 score of 6.3 reflects a network-accessible command injection flaw that requires prior authentication (Attack Vector: Network, Access Complexity: Low, Privileges Required: Low). This yields low confidentiality, integrity, and availability impact but does not capture the compounding risk of end-of-life status and lack of vendor support. The true organizational risk is higher because no patch is available and the device is likely running unpatched for many other undiscovered vulnerabilities typical of 15-year-old consumer hardware.
Frequently asked questions
Do I need to patch if I have this router?
No patch exists. Your only remediation is to decommission the device and replace it with current hardware. Prioritize this replacement—continuing to operate unsupported legacy equipment introduces compounding risk beyond this single vulnerability.
What if I can't replace the router immediately?
Implement compensating controls: disable remote management access, restrict the router's network segment, enforce a strong unique administrative password, and monitor for unauthorized access or configuration changes. These are temporary measures only; schedule replacement as soon as feasible.
Is this vulnerability actively exploited?
Exploit code has been publicly disclosed. While there is no evidence of active mass exploitation, the availability of working exploits means threat actors can use it if they gain credentials to your router. Credential compromise or default passwords significantly raise the risk.
How do I know if I have a TEW-432BRP?
Check the physical router label or access the web interface and note the model and firmware version. If it shows TEW-432BRP with firmware 3.10B20 or similar, you are running the affected hardware and should plan immediate replacement.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor statements. Organizations should verify all technical details and patch availability directly with vendors and conduct their own risk assessment. Exploit code availability and attack feasibility may change; maintain awareness of threat intelligence feeds. No exploit code or detailed attack steps are provided in this advisory; consult CISA, NVD, or vendor advisories for additional technical context. Always test remediation procedures in a non-production environment before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23
- CVE-2026-10166MEDIUMEdimax BR-6478AC Command Injection – Authentication Required
- CVE-2026-10180MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Hardware Retirement Required
- CVE-2026-10182MEDIUMTRENDnet TEW-432BRP Command Injection – Unpatched EOL Device
- CVE-2026-10550MEDIUMCommand Injection in elunez eladmin Deployment Module
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0