Description
A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetRoute of the file /goform/formSetRoute. The manipulation of the argument ip/mask/gateway leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
Published: 2026-05-29
Score: 5.3 Medium
EPSS: 4.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw was discovered in the formSetRoute functionality of TRENDnet TEW‑432BRP firmware 3.10B20. By crafting input for the ip/mask/gateway arguments, an attacker can cause arbitrary shell commands to be executed on the device’s operating system, enabling remote code execution that can compromise confidentiality, integrity, and availability of the network.

Affected Systems

The flaw is limited to TRENDnet TEW‑432BRP routers running firmware version 3.10B20. The vendor has declared the device end‑of‑life since 2009, so no patch or update is available.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of 4% suggests a low but non‑zero probability of exploitation. The exploit is remotely accessible through the web interface and the vendor’s lack of support means the vulnerability remains unpatched, increasing the risk that attackers can execute arbitrary commands via the formSetRoute endpoint. The likely attack vector is remote network access to the device’s HTTP interface.

Generated by OpenCVE AI on June 18, 2026 at 03:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace the TRENDnet TEW‑432BRP router with a supported device that does not contain this vulnerability.
  • Block or disable remote access to the /goform/formSetRoute endpoint using a firewall or ACL so only trusted internal hosts can reach it.
  • Segregate the router onto a dedicated VLAN or subnet and restrict administrative access to a small set of trusted management servers.

Generated by OpenCVE AI on June 18, 2026 at 03:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Trendnet tew-432brp Firmware
CPEs cpe:2.3:h:trendnet:tew-432brp:-:*:*:*:*:*:*:*
cpe:2.3:o:trendnet:tew-432brp_firmware:3.10b20:*:*:*:*:*:*:*
Vendors & Products Trendnet tew-432brp Firmware

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetRoute of the file /goform/formSetRoute. The manipulation of the argument ip/mask/gateway leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
Title TRENDnet TEW-432BRP formSetRoute command injection
First Time appeared Trendnet
Trendnet tew-432brp
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:trendnet:tew-432brp:*:*:*:*:*:*:*:*
Vendors & Products Trendnet
Trendnet tew-432brp
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Trendnet Tew-432brp Tew-432brp Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-29T15:45:15.419Z

Reserved: 2026-05-29T08:19:45.701Z

Link: CVE-2026-10060

cve-icon Vulnrichment

Updated: 2026-05-29T15:42:15.335Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-29T14:16:25.340

Modified: 2026-06-03T14:39:42.753

Link: CVE-2026-10060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T04:00:15Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')