HIGH 8.8

CVE-2026-10160: TRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability

A stack-based buffer overflow vulnerability exists in the TRENDnet TEW-432BRP wireless router (firmware version 3.10B20). An authenticated attacker can exploit this flaw by manipulating the 'start_wizard' parameter sent to the router's web interface, potentially allowing remote code execution. The vendor has confirmed this product reached end-of-life in 2009 and will not issue patches.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119, CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in TRENDnet TEW-432BRP 3.10B20. Affected by this issue is the function formSetEnableWizard of the file /goform/formSetEnableWizard. Such manipulation of the argument start_wizard leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10160 is a stack-based buffer overflow in the formSetEnableWizard function accessible via the /goform/formSetEnableWizard endpoint on affected TRENDnet TEW-432BRP routers. The vulnerability (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer; CWE-121: Stack-based Buffer Overflow) arises from insufficient input validation on the 'start_wizard' parameter. An authenticated remote attacker can craft a malicious request to overflow the stack, potentially achieving arbitrary code execution with the privileges of the router's web service process. The CVSS 3.1 score of 8.8 reflects the HIGH severity: network-accessible attack vector, low attack complexity, requirement for low privileges (authentication), and complete impact to confidentiality, integrity, and availability.

Business impact

Organizations still operating legacy TRENDnet TEW-432BRP routers face significant risk. Successful exploitation could allow an attacker with valid credentials to gain full control of the router, enabling network traffic interception, man-in-the-middle attacks, lateral network movement, or complete denial of service. Given the device's role as network perimeter equipment, compromise directly threatens the security posture of connected networks. The lack of vendor support means no patches will ever be released.

Affected systems

This vulnerability affects TRENDnet TEW-432BRP wireless routers running firmware version 3.10B20. The TEW-432BRP is a consumer-grade dual-band wireless router that has been out of support since 2009. Any organization or individual still deploying this hardware is affected and will remain vulnerable indefinitely.

Exploitability

Exploitation requires network access to the router's web management interface and valid authentication credentials. The attack complexity is low—no special conditions or user interaction is required beyond sending a crafted HTTP request. Public disclosure of this vulnerability has occurred, lowering the barrier to practical exploitation. Active threat actors monitoring public disclosures may already be developing or using exploits.

Remediation

The definitive remediation is hardware and firmware replacement. Organizations should immediately decommission any TRENDnet TEW-432BRP devices and replace them with current, vendor-supported equipment. If immediate replacement is not feasible, implement network segmentation to restrict access to the router's web management interface (port 80/443) using strict access control lists, and consider air-gapping or isolating affected routers to limit lateral movement risk.

Patch guidance

The vendor has explicitly stated no patches will be issued, as this product has been end-of-life for 15 years. No firmware updates exist to remediate this vulnerability. Patching is not a viable remediation path; hardware replacement is mandatory for any organization seeking to eliminate this risk.

Detection guidance

Monitor for HTTP POST requests to /goform/formSetEnableWizard on internal network segments where these routers may operate. Watch for oversized or malformed 'start_wizard' parameter values, unusual process spawning from web service processes on the router, or unexpected router behavior following anomalous web requests. Log authentication attempts and management interface access. Network-based intrusion detection signatures targeting stack buffer overflows in this specific endpoint may be developed by IDS vendors; check for applicable rule updates. Device-level logging (if accessible) should be reviewed for signs of exploitation attempts.

Why prioritize this

Although the CVSS score is HIGH (8.8) and the vulnerability is publicly disclosed with active exploit availability, real-world prioritization should account for the product's end-of-life status and likely limited remaining deployments. Organizations still using 15-year-old consumer routers are likely small businesses, resource-constrained operations, or legacy network segments. The window for risk reduction is closing: focus on identifying which networks still operate this hardware and execute orderly replacements. Do not deprioritize based on age alone—any remaining deployment represents a direct path to network compromise.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible vulnerability requiring only user-level authentication that completely compromises the confidentiality, integrity, and availability of the affected system. The score appropriately weighs the severity of impact (unauthenticated remote code execution is highly damaging on network infrastructure) against the authentication barrier (an attacker must possess or obtain valid router credentials). The score does not discount for end-of-life status; the technical severity remains high regardless of support status.

Frequently asked questions

Can I work around this vulnerability without replacing the router?

Temporary mitigations include restricting management interface access to trusted IP addresses via firewall rules, disabling remote management entirely if local administration suffices, and isolating the router on a separate management VLAN with minimal trust relationships to production networks. These measures reduce but do not eliminate risk, as insider threats or compromised internal systems could still exploit the flaw. These are stopgap measures only; replacement should remain the goal.

Why hasn't this been fixed if the product is so old?

The vendor confirmed the product reached end-of-life in 2009 and lacks resources or capability to develop, test, and release firmware patches for hardware no longer in active support. This is standard practice across the industry—vendors cannot sustainably support products indefinitely. This underscores why purchasing decisions should factor in vendor support lifecycles and why organizations should plan equipment refresh cycles accordingly.

Is this vulnerability actively being exploited in the wild?

The vulnerability has been publicly disclosed, and exploit code availability is known. While there is no confirmed widespread active exploitation against deployed routers, the combination of public disclosure, low attack complexity, and network accessibility makes opportunistic exploitation likely. Any organization still operating this hardware should assume attackers are aware of the vulnerability.

How do I know if we have this router on our network?

Conduct a network scan for devices responding on HTTP/HTTPS management ports. Telnet or SSH into suspected routers to check the model number and firmware version. Check procurement records, asset management databases, or contact branch offices and remote locations directly. Given the device's age, it may have been forgotten or relegated to backup status; thorough discovery is essential before declaring the vulnerability remediated.

This analysis is provided for informational purposes to support security decision-making. The information reflects publicly available data as of the publication date and may not encompass all undisclosed variants or exploitation scenarios. Organizations should verify all technical details, including affected firmware versions and patch availability, against the official vendor advisories before taking remedial action. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Consult with qualified cybersecurity professionals for guidance specific to your infrastructure. The presence of this vulnerability does not guarantee active exploitation in any particular environment; risk assessment should incorporate organizational context, network architecture, and threat modeling. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).