CVE-2026-10182 - Vulnerability Details

- TRENDnet TEW-432BRP formWlanSetup command injection

Description

A vulnerability was determined in TRENDnet TEW-432BRP 3.10B20. The impacted element is the function formWlanSetup of the file /goform/formWlanSetup. Executing a manipulation of the argument enrollee can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

Published: 2026-05-31

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the formWlanSetup function of the /goform/ endpoint on TRENDnet TEW‑432BRP. An attacker can provide a crafted enrollee parameter that bypasses input validation, resulting in shell command injection (CWE‑77). The flaw also reflects improper sanitization of user input (CWE‑74). Because the router’s web management interface is reachable from the network, an attacker can exploit the issue remotely without authentication.

Affected Systems

The device model affected is TRENDnet TEW‑432BRP running firmware 3.10B20. The product was released in 2009 and has been End‑of‑Life for 15 years. No patches or security updates are available from the vendor, so the device remains vulnerable if it continues to expose the web interface. No newer TRENDnet models or firmware versions are reported as impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalogue. Exploitation is possible by sending a malicious HTTP POST request to /goform/formWlanSetup with a crafted enrollee payload. If successful, the injected commands execute on the device, potentially compromising the router and the network it serves. Because the vendor has not released a fix and the product is no longer supported, the vulnerability remains present until the device is replaced or its exposure is eliminated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TRENDnet

TEW-432BRP

affected

Version	Status	Constraints
`3.10B20`	affected	—

No data.

Vendor Product Confidence Versions

Trendnet

Tew-432brp

95%

Version	Status	Scheme	Platform
`3.10B20`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Block external access to the TEW‑432BRP’s web interface or restrict inbound traffic to trusted internal addresses using a firewall.
Disable or block the /goform/formWlanSetup endpoint by configuring the router’s firewall or by disabling the web management service if it is not needed.
Replace the TEW‑432BRP with a supported router that receives security updates, or remove the device from the network if it is no longer required.

Generated by OpenCVE AI on May 31, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/wudipjq/my_vuln/blob/main/TRENDnet/vuln_19/19.md
https://vuldb.com/cve/CVE-2026-10182
https://vuldb.com/submit/814776
https://vuldb.com/vuln/367463
https://vuldb.com/vuln/367463/cti

History

Sun, 31 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in TRENDnet TEW-432BRP 3.10B20. The impacted element is the function formWlanSetup of the file /goform/formWlanSetup. Executing a manipulation of the argument enrollee can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
Title		TRENDnet TEW-432BRP formWlanSetup command injection
First Time appeared		Trendnet Trendnet tew-432brp
Weaknesses		CWE-74 CWE-77
CPEs		cpe:2.3:a:trendnet:tew-432brp::::::::
Vendors & Products		Trendnet Trendnet tew-432brp
References		https://github.com/wudipjq/my_vuln/blob/main/TRENDnet/vuln_19/19.md https://vuldb.com/cve/CVE-2026-10182 https://vuldb.com/submit/814776 https://vuldb.com/vuln/367463 https://vuldb.com/vuln/367463/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Trendnet Tew-432brp

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-31T13:00:10.061Z

Updated: 2026-05-31T13:00:10.061Z

Reserved: 2026-05-30T16:28:30.330Z

Link: CVE-2026-10182

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-31T14:16:50.530

Modified: 2026-05-31T14:16:50.530

Link: CVE-2026-10182

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-31T15:45:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object