Description
A vulnerability was detected in Trendnet TEW-657BRM 1.00.1. Affected is the function ping_test of the file /setup.cgi. Performing a manipulation of the argument c4_IPAddr results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years ago. We no longer provide support for this product, so we are not able to confirm the vulnerabilities. We will make an announcement on our website's product support page and notify customers who registered their products with us." This vulnerability only affects products that are no longer supported by the maintainer.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via OS command injection
Action: Remove Device
AI Analysis

Impact

The ping_test function in /setup.cgi accepts a c4_IPAddr parameter that can be manipulated to inject arbitrary operating‑system commands, enabling an attacker to execute arbitrary code on the device. The flaw represents command injection weaknesses (CWE‑77 and CWE‑78).

Affected Systems

Trendnet TEW‑657BRM devices running firmware version 1.00.1 are affected. The product is no longer supported or maintained by Trendnet, having reached end‑of‑life in 2011.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, but because the device offers a publicly accessible web interface and no patch is available, the risk is elevated. The exploit is remotely reachable over the network through the /setup.cgi endpoint, and publicly shared tools exist. With no vendor fix and the device being EOL, the vulnerability remains exploitable by adversaries who can reach the device.

Generated by OpenCVE AI on April 2, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disconnect the TEW‑657BRM from the network to eliminate exposure
  • If the device must stay online, isolate it on a separate VLAN and restrict external access
  • Configure firewall rules to block requests to the /setup.cgi URL or the device's management port
  • Continuously monitor device logs for anomalous command executions and network traffic
  • Replace the device with a supported, security‑maintained solution

Generated by OpenCVE AI on April 2, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Trendnet tew-657brm
Vendors & Products Trendnet tew-657brm

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Trendnet TEW-657BRM 1.00.1. Affected is the function ping_test of the file /setup.cgi. Performing a manipulation of the argument c4_IPAddr results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years ago. We no longer provide support for this product, so we are not able to confirm the vulnerabilities. We will make an announcement on our website's product support page and notify customers who registered their products with us." This vulnerability only affects products that are no longer supported by the maintainer.
Title Trendnet TEW-657BRM setup.cgi ping_test os command injection
First Time appeared Trendnet
Trendnet tew-657brm Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:trendnet:tew-657brm_firmware:*:*:*:*:*:*:*:*
Vendors & Products Trendnet
Trendnet tew-657brm Firmware
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Trendnet Tew-657brm Tew-657brm Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-02T16:21:43.958Z

Reserved: 2026-04-01T16:47:14.873Z

Link: CVE-2026-5353

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T17:16:32.053

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-5353

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:35Z

Weaknesses