CVE-2026-10063: TRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
A stack-based buffer overflow vulnerability exists in the TRENDnet TEW-432BRP wireless router (firmware version 3.10B20) that allows authenticated attackers to remotely crash the device or potentially execute arbitrary code. The flaw is in the WPS (Wi-Fi Protected Setup) configuration function and can be triggered by sending a specially crafted request with an oversized PIN parameter. Critically, this router model reached end-of-life in 2009—over 15 years ago—and TRENDnet has confirmed they will not be providing patches or fixes.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-119, CWE-121
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in TRENDnet TEW-432BRP 3.10B20. Affected by this issue is the function formWPS of the file /goform/formWPS. Such manipulation of the argument peerPin leads to stack-based buffer overflow. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the formWPS function accessed via the /goform/formWPS endpoint. An authenticated attacker can supply an oversized value in the peerPin parameter, causing a stack-based buffer overflow (CWE-121). This memory corruption occurs in a remotely accessible web interface function and bypasses authentication only in the sense that the WPS page itself may be accessible depending on network configuration. The flaw maps to CWE-119 (improper restriction of operations within the bounds of a memory buffer) and CWE-121 (stack-based buffer overflow). Public exploit code is available, lowering the barrier to exploitation.
Business impact
Organizations running this legacy hardware as part of network infrastructure face a material but time-limited risk. While the router is obsolete, it may still be deployed in remote offices, branch locations, or disconnected networks where refresh cycles are extended. A successful attack could result in temporary denial of service (device crash) or, in worst case, code execution allowing an attacker inside the network perimeter to pivot to higher-value targets. The lack of vendor support means vulnerability management relies entirely on network segmentation and access controls rather than patching.
Affected systems
The TEW-432BRP router in firmware version 3.10B20 is the confirmed affected hardware. No patches will be released by TRENDnet. Any deployment of this device should be considered vulnerable unless mitigated through network architecture (e.g., isolation, firewall rules restricting access to the web interface, or device replacement).
Exploitability
Exploitation requires network access to the router's web interface and valid credentials to authenticate to the device. Public exploit code is available, which increases the practical risk of opportunistic attacks in environments where the router is internet-facing or accessible to untrusted network segments. The attack is straightforward once authentication is achieved, making it a concern for any administrator unable to decommission the hardware promptly. The CVSS score of 8.8 (HIGH) reflects the combination of high impact and relatively easy exploitation for a remote, authenticated attacker.
Remediation
The most effective mitigation is hardware replacement with a supported, current-generation router. If immediate replacement is not feasible, isolate the affected router from external and untrusted network access via firewall rules, VLANs, or network segmentation. Restrict access to the web interface (typically port 80/443) to only trusted administrators and administrative subnets. Monitor for unusual access patterns or crashes that might indicate exploitation attempts. Disable WPS if the feature is not required, though the underlying buffer overflow in the formWPS function remains a concern if the interface is accessible.
Patch guidance
No patches will be issued by TRENDnet, as confirmed by the vendor. Firmware version 3.10B20 is the final release for this device. Any organization still running this hardware must accept the vulnerability as unfixable at the code level and rely on compensating controls (network isolation, access restrictions, and hardware replacement planning) to manage risk.
Detection guidance
Monitor HTTP access logs for POST requests to /goform/formWPS with unusually large peerPin parameters. Set up IDS/IPS signatures to detect oversized parameters in WPS configuration requests if the router is accessible over networks you control. Application-level monitoring may detect device crashes or reboots occurring after such requests. Network flows to the router's web interface from unexpected sources should trigger investigation. Given the age of the hardware, any active management traffic to it warrants review against your current inventory to ensure it is still intentionally deployed.
Why prioritize this
Despite the HIGH CVSS score, this vulnerability affects only a router that has been unsupported for 15+ years. Prioritization should be based on organizational inventory: if the device is still in production, it should be flagged for urgent replacement and network isolation. If it has already been decommissioned, no action is needed. The presence of public exploit code and the feasibility of exploitation for authenticated attackers mean that any active deployment should be treated as a near-term security gap requiring compensating controls or replacement.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects a HIGH severity rating driven by network-based attack vector, low complexity, and high impact on confidentiality, integrity, and availability. The primary mitigating factor is the requirement for prior authentication (PR:L). For an organization, the real-world risk depends entirely on whether the device is still in use and how it is positioned in the network. A device fully isolated from untrusted segments and managed only by authorized administrators carries lower practical risk than one with broad accessibility.
Frequently asked questions
Do I need to patch this if I still have a TEW-432BRP router?
No patches are available. Instead, you should plan hardware replacement as a priority. In the interim, segment the router from external and untrusted network access, restrict web interface access to authorized administrators only, and monitor for signs of exploitation. This is not a 'wait and apply updates' situation—vendor support ended in 2009.
What happens if an attacker exploits this vulnerability?
At minimum, the router will crash and require a reboot, causing a temporary denial of service. In a more severe scenario, an attacker could execute arbitrary code on the device, potentially using it as a foothold to attack other systems on your network or to intercept traffic. The impact depends on what the router has access to and how sensitive the traffic passing through it is.
Is this vulnerability in the KEV (Known Exploited Vulnerabilities) catalog?
No, this vulnerability has not been added to CISA's KEV catalog as of the current date. However, public exploit code does exist, which means the barrier to practical exploitation is low. Organizations should not assume that absent KEV status means this is not a real threat.
We have this router but it's only used for a guest network. Should we still worry?
Even on a guest network, compromise of the router could allow an attacker to intercept guest traffic, escalate to your main network, or use the device as a waypoint for further attacks. Given the age and lack of support, replacement remains the safest approach. At minimum, ensure guest network traffic is isolated from production systems and that access to the router's management interface is restricted.
This analysis is based on publicly available vulnerability data and vendor statements as of the publication date. TRENDnet has officially stated this product has been unsupported since 2009 and will not be patching vulnerabilities. Organizations should verify their current inventory against this CVE, assess network exposure, and plan hardware replacement accordingly. No exploit code is provided or endorsed by SEC.co. This vulnerability assessment does not replace professional security risk evaluation specific to your infrastructure and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10064MEDIUMTRENDnet TEW-432BRP Stack Overflow – Unpatched EOL Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi
- CVE-2026-10119HIGHStack Overflow in TRENDnet TEW-432BRP End-of-Life Router
- CVE-2026-10120HIGHTRENDnet TEW-432BRP Buffer Overflow – No Patch Available
- CVE-2026-10121HIGHTRENDnet TEW-432BRP Stack Buffer Overflow