CVE-2026-10159: Stack Overflow in TRENDnet TEW-432BRP – End-of-Life Router Vulnerability
A stack-based buffer overflow vulnerability has been discovered in the TRENDnet TEW-432BRP wireless router (version 3.10B20), specifically in the system log configuration function. An attacker with network access and valid credentials can send a specially crafted request to trigger a memory overflow, potentially executing arbitrary code on the device. The vendor has confirmed the product reached end-of-life in 2009 and will not be patching this issue.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-119, CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-31 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in TRENDnet TEW-432BRP 3.10B20. Affected by this vulnerability is the function formSysLog of the file /goform/formSysLog. This manipulation of the argument current_page causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10159 affects the formSysLog function within /goform/formSysLog on the TEW-432BRP. The vulnerability stems from improper input validation on the current_page parameter, which allows an attacker to overflow the stack buffer (CWE-119, CWE-121). The attack requires network-layer access and valid authentication credentials but does not require user interaction. Successful exploitation can lead to code execution with the privileges of the web service process.
Business impact
Organizations still operating legacy TRENDnet TEW-432BRP routers face remote code execution risk if the device is accessible to authenticated users or if internal network segmentation is weak. Compromise of the device could allow lateral movement into critical infrastructure, unauthorized monitoring of network traffic, or use as a pivot point for further attacks. The lack of vendor support means no patch will ever be released; mitigation depends entirely on network architecture and device decommissioning.
Affected systems
TRENDnet TEW-432BRP version 3.10B20 and likely earlier firmware versions are affected. This is a single legacy wireless router model that has been unsupported since 2009. The vendor has not released patches and will not, making this a permanent vulnerability for any remaining installations.
Exploitability
Exploit code has been publicly disclosed, lowering the barrier to weaponization. However, exploitation requires two preconditions: the attacker must have network access to the device and must possess valid login credentials. This reduces real-world risk in segmented networks but poses significant danger in environments with weak authentication or where the router is internet-facing with default or weak credentials.
Remediation
The only reliable remediation is hardware replacement. Organizations should prioritize decommissioning all TEW-432BRP units and replacing them with current, supported wireless infrastructure. If immediate replacement is not feasible, isolate affected devices from untrusted networks, implement strict authentication controls, and monitor for suspicious administrative activity. Consider restricting access to the web management interface via firewall rules.
Patch guidance
No patch is available and will not be released by the vendor. Do not wait for an update; instead, plan and execute hardware replacement as part of your IT refresh cycle. Verify that no critical network functions depend solely on this device before removal.
Detection guidance
Monitor network traffic for POST requests to /goform/formSysLog with suspicious current_page parameter values (unusually long strings, non-alphanumeric sequences). Track failed and successful authentication attempts to the router's web interface. Scan your environment to identify any remaining TEW-432BRP devices using network reconnaissance tools or SNMP scanning, and document their locations and dependencies.
Why prioritize this
Although the CVSS score of 8.8 (HIGH) reflects significant technical severity, real-world prioritization should weigh the narrow exposure window (authenticated access only) against the complete lack of remediation options. Organizations with this hardware should treat it as a critical decommissioning project rather than a patching problem. The public availability of exploit code elevates urgency for organizations where the device is still deployed.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects a remotely exploitable vulnerability requiring valid credentials, offering no attack complexity constraints, and capable of achieving confidentiality, integrity, and availability impacts. While the score is HIGH, the true organizational risk depends on network topology: internet-facing routers with weak or default credentials warrant immediate action, while properly segmented internal devices pose lower risk but should still be scheduled for replacement.
Frequently asked questions
If this router is isolated on an internal network with strong authentication, is it still a risk?
The risk is substantially lower but not eliminated. Insider threats, compromised user accounts, and lateral movement from other breached systems could provide the network access and credentials needed to exploit this vulnerability. Additionally, network isolation can change over time. The best approach remains replacement to eliminate the vulnerability entirely.
Can we apply a workaround instead of replacing the hardware?
There is no patch, but you can reduce risk by restricting web interface access via firewall rules (blocking port 80/443 except from trusted IP ranges), enforcing strong authentication, disabling remote management, and increasing monitoring. These measures lower attack surface but do not eliminate the vulnerability itself. They should be interim measures only, with replacement as the end goal.
Is this vulnerability being actively exploited in the wild?
Public exploit code is available, which means the technical barrier to exploitation is low. However, the TEW-432BRP has been out of production for 15+ years, so the installed base is small. Attacks are more likely opportunistic than targeted, but any internet-facing instance with weak credentials is at real risk.
Should we scan our network for these devices?
Yes. Conduct a comprehensive network scan using tools like Nmap or your asset management system to identify any remaining TEW-432BRP units. Document their locations, network roles, and dependencies. Use this inventory to plan a replacement timeline and ensure no critical functions depend solely on this hardware.
This analysis is based on publicly available vulnerability data and vendor statements current as of the publication date. CVSS scores represent technical severity but do not account for organizational context, network topology, or business criticality. Organizations must conduct their own risk assessment and testing before deploying any defensive measures. The mention of exploit availability does not constitute endorsement or guidance for its use. Always verify the applicability of security recommendations within your own environment and consult vendor documentation and security advisories for the most current information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi
- CVE-2026-10119HIGHStack Overflow in TRENDnet TEW-432BRP End-of-Life Router
- CVE-2026-10120HIGHTRENDnet TEW-432BRP Buffer Overflow – No Patch Available
- CVE-2026-10121HIGHTRENDnet TEW-432BRP Stack Buffer Overflow