CVE-2026-10180 - Vulnerability Details

- TRENDnet TEW-432BRP formSysCmd command injection

Description

A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. Impacted is the function formSysCmd of the file /goform/formSysCmd. Such manipulation of the argument sysCmd leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

Published: 2026-05-31

Score: 5.3 Medium

EPSS: 1.1% Low

KEV: No

Impact:

Action:

Analysis

Impact

A command injection flaw exists in the formSysCmd interface of TRENDnet TEW-432BRP firmware 3.10B20. Manipulating the sysCmd parameter allows an unauthenticated attacker to execute arbitrary operating‑system commands, compromising confidentiality, integrity, and availability. The flaw is categorized under CWE‑74 and CWE‑77 and carries a CVSS score of 5.3, indicating medium severity.

Affected Systems

The affected product is TRENDnet TEW-432BRP with firmware version 3.10B20. This device has been End‑of‑Life for 15 years and receives no vendor updates or fixes.

Risk and Exploitability

The EPSS score is 1%, indicating a low but non‑zero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog, but the flaw is publicly disclosed and remains exploitable. Attackers can reach the vulnerable endpoint over the network, meaning that any active device exposed to external traffic can be compromised if not isolated or replaced.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TRENDnet

TEW-432BRP

affected

Version	Status	Constraints
`3.10B20`	affected	—

No data.

Vendor Product Confidence Versions

Trendnet

Tew-432brp

95%

Version	Status	Scheme	Platform
`3.10B20`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Disconnect the device from all external networks or place it behind a firewall that blocks unauthenticated access to the web interface, particularly the /goform/formSysCmd endpoint.
Replace the TEW‑432BRP unit with a supported router that eliminates the command injection vulnerability and receives ongoing security updates.
Implement network segmentation to restrict access to the device management interface to authorized personnel only, and consider enabling additional authentication mechanisms if available.

Generated by OpenCVE AI on May 31, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.01077.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/wudipjq/my_vuln/blob/main/TRENDnet/vuln_17/17.md
https://vuldb.com/cve/CVE-2026-10180
https://vuldb.com/submit/814774
https://vuldb.com/vuln/367461
https://vuldb.com/vuln/367461/cti

History

Sun, 31 May 2026 12:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. Impacted is the function formSysCmd of the file /goform/formSysCmd. Such manipulation of the argument sysCmd leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
Title		TRENDnet TEW-432BRP formSysCmd command injection
First Time appeared		Trendnet Trendnet tew-432brp
Weaknesses		CWE-74 CWE-77
CPEs		cpe:2.3:a:trendnet:tew-432brp::::::::
Vendors & Products		Trendnet Trendnet tew-432brp
References		https://github.com/wudipjq/my_vuln/blob/main/TRENDnet/vuln_17/17.md https://vuldb.com/cve/CVE-2026-10180 https://vuldb.com/submit/814774 https://vuldb.com/vuln/367461 https://vuldb.com/vuln/367461/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Trendnet Tew-432brp

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-31T11:15:06.990Z

Updated: 2026-05-31T11:15:06.990Z

Reserved: 2026-05-30T16:28:24.792Z

Link: CVE-2026-10180

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-31T12:16:17.740

Modified: 2026-05-31T12:16:17.740

Link: CVE-2026-10180

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-31T14:45:04Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object