HIGH 8.8

CVE-2026-10162: TRENDnet TEW-432BRP Stack Buffer Overflow (CVSS 8.8)

TRENDnet's TEW-432BRP wireless router (version 3.10B20) contains a stack-based buffer overflow vulnerability in its password-setting function. An authenticated attacker can send specially crafted input to the formSetPassword endpoint to overflow memory and potentially execute code on the device. The device has been end-of-life since 2009, and the vendor explicitly will not release patches. While the attack requires login credentials, the high CVSS score reflects the severity of potential compromise.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119, CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A flaw has been found in TRENDnet TEW-432BRP 3.10B20. This vulnerability affects the function formSetPassword of the file /goform/formSetPassword. Executing a manipulation of the argument webpage can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been published and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10162 is a stack-based buffer overflow in the formSetPassword function of the TRENDnet TEW-432BRP (firmware 3.10B20). The vulnerability stems from unsafe manipulation of the 'webpage' argument without proper bounds checking. Successful exploitation requires authenticated access (network-based, no user interaction needed) and can result in arbitrary code execution with device-level privileges. The flaw maps to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). Public exploit code is available.

Business impact

Direct operational risk is limited to organizations still operating this 15-year-old hardware in 2026. However, compromised routers can be weaponized for lateral network movement, DNS hijacking, or traffic interception, making this a supply-chain and access control issue rather than a perimeter threat. For enterprises, the larger concern is inventory discovery: determining whether these devices remain deployed in branch offices, remote sites, or legacy network segments. Continued presence in production indicates potential control weaknesses.

Affected systems

Only the TRENDnet TEW-432BRP wireless router running firmware version 3.10B20 is affected. The device reached end-of-life in 2009. Organizations using this router are running hardware that is 17+ years old and completely outside vendor support windows. No current product lines from TRENDnet are impacted.

Exploitability

Exploitation requires authenticated access to the device's web interface, lowering the attack surface compared to unauthenticated flaws. However, default credentials for legacy routers are widely documented, and many organizations deploy these devices with unchanged factory passwords. Public exploit code exists, meaning technical barriers to weaponization are minimal for anyone with network access to the device. The straightforward nature of buffer overflow exploitation in embedded systems elevates practical risk.

Remediation

The vendor will not issue patches. Complete remediation requires immediate decommissioning and replacement of affected routers. Any TEW-432BRP device still in service should be isolated or removed from the network. If replacement is not immediately feasible, restrict network access to the device's web interface via firewall rules and VLANs, change default credentials, and monitor for suspicious administration activity.

Patch guidance

No patches are available or will be released by TRENDnet. Organizations cannot remediate this vulnerability through software updates. Hardware replacement is the only viable path forward. Before purchasing replacements, verify that all current TRENDnet routers in your environment have reached end-of-life or are receiving active security updates from the vendor.

Detection guidance

Monitor for unusual access to the formSetPassword endpoint (/goform/formSetPassword) on TEW-432BRP devices. Look for POST requests with abnormally large or malformed 'webpage' arguments. Detect the presence of TEW-432BRP hardware through network discovery tools, SNMP queries, or HTTP banner grabbing (the device may return identifying information in HTTP headers). Check system logs and audit trails for changes to router administrative accounts. Network segmentation should reduce the likelihood of external probing, but internal reconnaissance should be treated as a baseline.

Why prioritize this

Although the CVSS score is HIGH (8.8), prioritization depends heavily on asset inventory. If your organization does not operate any TEW-432BRP routers, this CVE requires no immediate action beyond confirming absence through asset discovery. If any such devices are present, prioritization is CRITICAL because the vendor will not patch and exploitation is straightforward for authenticated attackers. This is a 'find and replace' emergency, not an 'apply patches and monitor' issue.

Risk score, explained

CVSS 8.8 reflects: (1) network accessibility (AV:N), (2) low complexity attack (AC:L) requiring only standard buffer overflow techniques, (3) requirement for prior authentication (PR:L), (4) no user interaction needed (UI:N), and (5) high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The authentication requirement prevents mass remote exploitation but is offset by widespread use of default credentials in legacy environments. The HIGH severity designation is appropriate for devices still in use; however, lack of KEV status indicates this is not being actively exploited at scale in the wild—likely because so few TEW-432BRP devices remain deployed.

Frequently asked questions

Should we immediately replace every TEW-432BRP in our network?

Yes, if you have any in active use. This device is 15+ years past end-of-life. Even without this CVE, these routers lack basic modern security controls and should not be trusted with network access. Treat replacement as a business continuity and inventory management issue, not just a patch cycle issue.

Can we mitigate this vulnerability without replacing the device?

Partial mitigation is possible but not reliable. Disable remote administrative access, restrict web interface access to specific internal IPs via firewall rules, enforce strong non-default credentials, and place the device on a segregated network segment. However, these controls do not eliminate the underlying flaw. They reduce attack surface if the device is compromised through other means. Replacement remains the only true remediation.

How do we find TEW-432BRP devices in our network?

Conduct network discovery scans looking for active HTTP services on common router ports (80, 8080). Use banner grabbing to identify the device model and firmware version. Check device configuration management tools and asset inventory systems for historical records of device deployment. Query DHCP logs and DNS for patterns consistent with router behavior. Network segmentation (VLANs, subnets) may limit visibility—work with infrastructure teams to ensure comprehensive scanning.

Does this vulnerability affect newer TRENDnet routers?

No. This CVE is specific to the TEW-432BRP firmware version 3.10B20, which is no longer sold or supported. Verify the exact model and firmware of any TRENDnet router in your environment before assuming it is affected. Check TRENDnet's support website or the device label for model and firmware information.

This vulnerability analysis is provided for informational purposes to assist with security decisions. The information is based on publicly disclosed CVE data and vendor statements. Organizations should verify the presence of affected hardware through their own asset discovery and security assessments. The vendor (TRENDnet) has stated it will not release patches; decisions regarding mitigation, replacement, or decommissioning should be made in consultation with your IT and risk management teams. No exploit code is provided or recommended for testing without explicit authorization from management and in controlled environments only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).