Description
A security vulnerability has been detected in Trendnet TEW-657BRM 1.00.1. This impacts the function Edit of the file /setup.cgi. Such manipulation of the argument pcdb_list leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years ago. We no longer provide support for this product, so we are not able to confirm the vulnerabilities. We will make an announcement on our website's product support page and notify customers who registered their products with us." This vulnerability only affects products that are no longer supported by the maintainer.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via OS command injection
Action: Replace Device
AI Analysis

Impact

A flaw in the Edit function of Trendnet TEW-657BRM’s /setup.cgi allows an attacker to supply a manipulated pcdb_list argument that is executed on the device’s operating system. This enables arbitrary command execution on the device, potentially granting full control over the router including access to its configuration, stored credentials and the possibility of pivoting to other network assets.

Affected Systems

The vulnerability is limited to the Trendnet TEW-657BRM model running firmware version 1.00.1. The device has been end‑of‑life and no longer supported by the vendor since June 2011. No other versions or models are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk, while an EPSS of 1% denotes a low probability of exploitation in the general population. The vulnerability is not recorded in the CISA KEV catalog. Exploitation requires remote access to the device’s web interface; because the device is discontinued, the window of opportunity depends on the presence of the unit in an active network environment. Without a vendor patch, the only mitigation is to eliminate or isolate the device from external exposure.

Generated by OpenCVE AI on April 7, 2026 at 23:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Remove or replace the Trendnet TEW-657BRM with a supported device
  • If removal is not possible, isolate the unit from the Internet and block all inbound management ports (e.g., 80, 443)
  • Disable remote configuration features on the device to limit attack surface
  • Conduct a network audit to identify any other unsupported devices and address them
  • Apply network segmentation and firewall rules to restrict traffic to the device
  • Monitor network logs for unexpected access attempts to the device

Generated by OpenCVE AI on April 7, 2026 at 23:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:h:trendnet:tew-657brm:-:*:*:*:*:*:*:*
cpe:2.3:o:trendnet:tew-657brm_firmware:1.00.1:*:*:*:*:*:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Trendnet tew-657brm
Vendors & Products Trendnet tew-657brm

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Trendnet TEW-657BRM 1.00.1. This impacts the function Edit of the file /setup.cgi. Such manipulation of the argument pcdb_list leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years ago. We no longer provide support for this product, so we are not able to confirm the vulnerabilities. We will make an announcement on our website's product support page and notify customers who registered their products with us." This vulnerability only affects products that are no longer supported by the maintainer.
Title Trendnet TEW-657BRM setup.cgi edit os command injection
First Time appeared Trendnet
Trendnet tew-657brm Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:trendnet:tew-657brm_firmware:*:*:*:*:*:*:*:*
Vendors & Products Trendnet
Trendnet tew-657brm Firmware
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Trendnet Tew-657brm Tew-657brm Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-02T17:38:37.073Z

Reserved: 2026-04-01T16:47:11.901Z

Link: CVE-2026-5352

cve-icon Vulnrichment

Updated: 2026-04-02T17:38:31.846Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T17:16:31.817

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:55:35Z

Weaknesses