CVE-2026-10064: TRENDnet TEW-432BRP Stack Overflow – Unpatched EOL Router Vulnerability
TRENDnet has disclosed a remote stack-based buffer overflow vulnerability in the TEW-432BRP wireless router (firmware version 3.10B20 and earlier). An authenticated attacker can exploit this flaw by sending a specially crafted request to the port forwarding configuration endpoint, potentially allowing code execution or denial of service. The vendor has confirmed this product reached end-of-life in 2009 and will not issue patches. Public exploit code is available, elevating the practical risk despite the device's age.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-119, CWE-121
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in TRENDnet TEW-432BRP 3.10B20. This affects the function formSetPortTr of the file /goform/formSetPortTr. Performing a manipulation of the argument special_name results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10064 is a stack-based buffer overflow (CWE-119, CWE-121) in the formSetPortTr function of the TRENDnet TEW-432BRP router. The vulnerability exists in the /goform/formSetPortTr endpoint, where the special_name parameter is not properly validated before being written to the stack. This allows an authenticated user to overflow a fixed-size buffer and overwrite adjacent stack memory, potentially hijacking program execution. The attack vector is network-based and requires valid credentials but no user interaction.
Business impact
Organizations still operating TEW-432BRP devices face a significant security gap. While the CVSS score of 6.3 (Medium) reflects the need for authentication, the combination of remote exploitability, public proof-of-concept code, and zero vendor support creates a practical security risk. Affected devices cannot receive patches and should be treated as legacy infrastructure requiring network isolation or replacement.
Affected systems
The vulnerability affects TRENDnet TEW-432BRP wireless routers running firmware version 3.10B20 and likely all earlier versions. This is an end-of-life consumer/small-business router released around 2009. Only organizations that have retained these devices in production environments are at risk; however, older networks or branch offices may unknowingly still be running this hardware.
Exploitability
The vulnerability requires authentication (login credentials), which provides a baseline control but is not difficult for attackers with network access to overcome. Public exploit code is available, reducing the barrier to weaponization. The attack is remote, has low complexity, and requires no user interaction once an attacker is authenticated. The availability of functional exploits and the complete lack of patches make this a material exploitability concern for exposed instances.
Remediation
Immediate remediation requires decommissioning the affected device or physically isolating it from untrusted networks. As TRENDnet has confirmed no patches will be released, upgrading to a current, supported wireless router is the only permanent solution. Organizations should audit their network inventory to identify any remaining TEW-432BRP units and develop a replacement timeline. Interim mitigation includes disabling remote management, restricting access via firewall rules, and changing default credentials to strong values.
Patch guidance
No patches are available from TRENDnet. The vendor explicitly stated the product has been unsupported since 2009 and will not issue updates. Organizations cannot rely on patching and must treat replacement or network isolation as the only viable remediation path. Verify your device firmware version in the administrative interface; if it is TEW-432BRP firmware 3.10B20 or earlier, plan for device retirement.
Detection guidance
Monitor network traffic for HTTP POST requests to /goform/formSetPortTr endpoints on internal IP ranges. Look for unusual parameter values in the special_name field, particularly those containing unexpected binary data or abnormally long strings that may indicate buffer overflow attempts. Logging from affected routers (if available) may show failed authentication followed by repeated requests to this endpoint. Endpoint Detection and Response (EDR) tools on systems that might connect through affected routers should alert on unexpected privilege escalation or process spawning by router management services.
Why prioritize this
Despite its Medium CVSS score, this vulnerability merits immediate attention because: (1) exploit code is publicly available, (2) no patches exist and none will be issued, (3) the device is likely forgotten in production rather than actively managed, and (4) compromise of network infrastructure can serve as a pivot point for lateral movement. Age and obsolescence increase risk in this case rather than reducing it—security debt that has accumulated over 15+ years without updates.
Risk score, explained
The CVSS 3.1 score of 6.3 reflects authentication requirements and limited scope, but underweights the practical risk posed by zero vendor support and public exploits. For risk prioritization, treat this as higher priority than the base score suggests: the device cannot be patched, exploit tools exist, and a compromised router is a critical asset for network reconnaissance and lateral movement.
Frequently asked questions
Our company has one TEW-432BRP somewhere in the network. How urgent is this?
Very. Because there is no patch and exploit code is public, this device is a known weak point. Prioritize locating it, validating its firmware version, and either isolating it on a restricted VLAN with no sensitive traffic, or replacing it. Document its location so it isn't forgotten in future network reviews.
Can we mitigate this without replacing the router?
Partially. Disable remote management, enforce strong authentication (if the device supports it), restrict administrative access to specific internal IP ranges via firewall, and segment the router's network from critical systems. These steps reduce exposure but do not eliminate the vulnerability—replacement remains the recommended path.
Why does this old device matter if it's end-of-life?
End-of-life devices are often forgotten and neglected on networks. A compromised router becomes a persistent beachhead for attackers to conduct reconnaissance, sniff traffic, and pivot to other systems. It is foundational infrastructure, and its compromise undermines the security of everything behind it.
How do we detect if someone has exploited this on our device?
Check the router's administrative logs (if accessible) for repeated failed logins to /goform/formSetPortTr or unusual port forwarding rules. Monitor network behavior for unexpected outbound connections from the router's IP address, unusual DNS queries, or anomalous internal traffic patterns. If available, enable verbose logging before the device is retired.
This analysis is based on vendor advisory data and public CVE records as of the publication date. TRENDnet has confirmed this product will not receive patches. Organizations should verify their device firmware versions against official product documentation and test any remediation steps in non-production environments first. SEC.co makes no warranty regarding exploitability or impact; organizations should conduct their own risk assessment in the context of their network architecture and threat model. Always consult the vendor's official security advisory before taking remediation actions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi
- CVE-2026-10119HIGHStack Overflow in TRENDnet TEW-432BRP End-of-Life Router
- CVE-2026-10120HIGHTRENDnet TEW-432BRP Buffer Overflow – No Patch Available
- CVE-2026-10121HIGHTRENDnet TEW-432BRP Stack Buffer Overflow