CVE-2026-10060 - Vulnerability Details

- TRENDnet TEW-432BRP formSetRoute command injection

Description

A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetRoute of the file /goform/formSetRoute. The manipulation of the argument ip/mask/gateway leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

Published: 2026-05-29

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A command injection flaw was discovered in the formSetRoute functionality of TRENDnet TEW‑432BRP firmware 3.10B20. By crafting input for the ip/mask/gateway arguments, an attacker can cause arbitrary shell commands to be executed on the device’s operating system, enabling remote code execution that can compromise confidentiality, integrity, and availability of the network.

Affected Systems

The flaw is limited to TRENDnet TEW‑432BRP routers running firmware version 3.10B20. The vendor has declared the device end‑of‑life since 2009, so no patch or update is available.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score is not available, suggesting the probability of exploitation is currently unknown. The exploit is remotely accessible through the web interface and the vendor’s lack of support means the vulnerability remains unpatched, increasing the risk that attackers can execute arbitrary commands via the formSetRoute endpoint. The likely attack vector is remote network access to the device’s HTTP interface.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TRENDnet

TEW-432BRP

affected

Version	Status	Constraints
`3.10B20`	affected	—

No data.

Vendor Product Confidence Versions

Trendnet

Tew-432brp

95%

Version	Status	Scheme	Platform
`3.10B20`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Replace the TRENDnet TEW‑432BRP router with a supported device that does not contain this vulnerability.
Block or disable remote access to the /goform/formSetRoute endpoint using a firewall or ACL so only trusted internal hosts can reach it.
Segregate the router onto a dedicated VLAN or subnet and restrict administrative access to a small set of trusted management servers.

Generated by OpenCVE AI on May 29, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/wudipjq/my_vuln/blob/main/TRENDnet/vuln_1/1.md
https://vuldb.com/submit/814756
https://vuldb.com/vuln/367146
https://vuldb.com/vuln/367146/cti

History

Fri, 29 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 29 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetRoute of the file /goform/formSetRoute. The manipulation of the argument ip/mask/gateway leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
Title		TRENDnet TEW-432BRP formSetRoute command injection
First Time appeared		Trendnet Trendnet tew-432brp
Weaknesses		CWE-74 CWE-77
CPEs		cpe:2.3:a:trendnet:tew-432brp::::::::
Vendors & Products		Trendnet Trendnet tew-432brp
References		https://github.com/wudipjq/my_vuln/blob/main/TRENDnet/vuln_1/1.md https://vuldb.com/submit/814756 https://vuldb.com/vuln/367146 https://vuldb.com/vuln/367146/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Trendnet Tew-432brp

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-29T13:15:08.832Z

Updated: 2026-05-29T15:45:15.419Z

Reserved: 2026-05-29T08:19:45.701Z

Link: CVE-2026-10060

Vulnrichment

Updated: 2026-05-29T15:42:15.335Z

NVD

Status : Awaiting Analysis

Published: 2026-05-29T14:16:25.340

Modified: 2026-05-29T16:16:22.803

Link: CVE-2026-10060

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T17:30:03Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object