CVE-2026-10158: TRENDnet TEW-432BRP Stack Overflow Remote Code Execution
A stack-based buffer overflow has been discovered in the TRENDnet TEW-432BRP wireless router (firmware version 3.10B20). An authenticated attacker can send a specially crafted request to the port forwarding configuration interface, exploiting improper input validation on the server_name parameter. This can lead to remote code execution on the device. The vulnerability is particularly concerning because exploit code has already been released publicly. However, the affected product reached end-of-life in 2009 and the vendor has stated they cannot provide patches.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-119, CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-31 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in TRENDnet TEW-432BRP 3.10B20. Affected is the function formPortFw of the file /goform/formPortFw. The manipulation of the argument server_name results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10158 is a stack-based buffer overflow in the formPortFw function within the /goform/formPortFw endpoint of TRENDnet TEW-432BRP 3.10B20. The vulnerability stems from insufficient bounds checking on the server_name parameter (CWE-119, CWE-121), allowing an authenticated attacker to overwrite stack memory. Successful exploitation requires network access and valid credentials, but does not require user interaction. The flaw can be triggered remotely and leads to memory corruption with potential for arbitrary code execution.
Business impact
Organizations still operating TEW-432BRP devices face a critical risk if the router is internet-facing or accessible from untrusted networks. Compromise could enable lateral movement into corporate network segments, interception of traffic, or use of the router as a pivot point for further attacks. The public availability of exploit code substantially increases the likelihood of opportunistic attacks. While the device is legacy, it may still be deployed in remote offices, branch locations, or embedded in production environments where replacement cycles are extended.
Affected systems
The vulnerability affects TRENDnet TEW-432BRP firmware version 3.10B20. The product has been end-of-life since 2009. No other product variants, firmware versions, or vendor alternatives are identified in the available data. Organizations should conduct an asset inventory to determine if any instances remain in active use.
Exploitability
Exploitability is moderate to high. The attack requires valid authentication credentials and network access to the device's web interface, reducing casual external exposure. However, default credentials are a known concern on legacy routers, and many organizations may not have changed factory-set passwords. Public availability of working exploit code significantly lowers the technical barrier to attack. Exploitation does not require user interaction or social engineering.
Remediation
The vendor has confirmed the product is end-of-life and will not issue patches. The only effective remediation is decommissioning the affected device. Organizations with TEW-432BRP units should prioritize their replacement with current, supported hardware. If immediate replacement is not feasible, isolate the device from untrusted networks, disable remote management access, implement strict network-level access controls, and monitor for suspicious activity on the device.
Patch guidance
No patch is available from the vendor. TRENDnet has stated they cannot replicate or fix vulnerabilities in this end-of-life product. Organizations must plan and execute hardware replacement. When procuring a replacement, verify that the new model is actively supported and receives regular security updates. Consider using this transition as an opportunity to audit network segmentation and access policies around critical infrastructure.
Detection guidance
Monitor for HTTP POST requests to /goform/formPortFw with unusually long or malformed server_name parameter values. Network-based intrusion detection signatures should flag requests to this endpoint that originate from internal networks or contain binary patterns indicative of shellcode. Check router logs for authentication attempts using default credentials or unusual account activity. Periodic network scans can identify devices running outdated firmware versions. Port forwarding configuration changes should be logged and reviewed for unauthorized modifications.
Why prioritize this
Despite the end-of-life status, this vulnerability warrants immediate attention because: (1) it is remotely exploitable by authenticated users, (2) exploit code is publicly available, (3) the CVSS score of 8.8 (HIGH) reflects significant impact, and (4) legacy devices are often overlooked during routine security assessments. The authentication requirement provides some protection but should not be relied upon if default credentials are unchanged. Prioritize discovery and remediation before active exploitation campaigns emerge.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects a HIGH severity vulnerability with high attack complexity (AC:L), low privilege requirements (PR:L), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). While authentication is required (reducing accessibility), the combination of remote exploitability, public proof-of-concept code, and the end-of-life status of the product—which typically means reduced monitoring and slower remediation cycles—elevates practical risk beyond the base score. Organizations with this device in use should treat this as urgent.
Frequently asked questions
Should we wait for a vendor patch before acting?
No. TRENDnet has explicitly stated they will not patch this product due to its end-of-life status since 2009. Waiting for a patch is not a viable strategy. Plan for hardware replacement as the only effective remediation.
What if we can't replace the device immediately?
Implement defense-in-depth measures: restrict network access to the device's management interface using firewall rules, change default credentials immediately, disable the web management interface if not actively needed, enable logging if available, and segment the device on a restricted VLAN. However, these are temporary measures; replacement should remain the priority.
How do we know if we have this device deployed?
Conduct a network scan for devices responding on typical router management ports (80, 443, 8080). Query your asset management database for TEW-432BRP entries. SSH or telnet to suspected devices and check the firmware version and model number. Check with branch office and remote site administrators, as legacy devices are often forgotten in non-central locations.
Is authentication really a barrier if default credentials are common?
Yes and no. Authentication does limit casual exposure to the internet. However, many administrators leave default credentials unchanged on legacy devices, especially in remote locations with minimal oversight. Assume that an attacker with internal network access or knowledge of default credentials can exploit this vulnerability.
This analysis is based on publicly available information as of June 2026. No vendor patches are available for this end-of-life product. Organizations should verify their device inventory and test any network isolation or monitoring changes in non-production environments before deployment. This vulnerability requires valid authentication credentials but should not be underestimated due to the prevalence of default credentials on legacy devices. SEC.co makes no warranty regarding the completeness or accuracy of detection signatures or remediation effectiveness in specific environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi
- CVE-2026-10119HIGHStack Overflow in TRENDnet TEW-432BRP End-of-Life Router
- CVE-2026-10120HIGHTRENDnet TEW-432BRP Buffer Overflow – No Patch Available
- CVE-2026-10121HIGHTRENDnet TEW-432BRP Stack Buffer Overflow