CVE-2026-5351
Remote OS Command Injection in Trendnet TEW-657BRM WPS Setup
Publication date: 2026-04-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trendnet | tew-657brm_firmware | 1.00.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5351 is a remote OS command injection vulnerability in the Trendnet TEW-657BRM router, version 1.00.1. It exists in the add_wps_client function of the setup.cgi script, where the parameter wl_enrolee_pin is taken from user input and passed directly to the system command without validation or sanitization.
This allows an attacker to remotely inject arbitrary operating system commands by manipulating the wl_enrolee_pin parameter, potentially executing any command on the device.
The exploit can be performed via a POST request to /setup.cgi with the malicious wl_enrolee_pin value, and although basic authentication is required, the attack can still be initiated remotely.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary commands on the affected router remotely, which can lead to unauthorized control over the device.
Potential impacts include disruption of network services, unauthorized access to network traffic, installation of malicious software, or using the device as a foothold for further attacks within the network.
Since the product is discontinued and no longer supported, no patches or fixes are available, increasing the risk if the device is still in use.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a crafted POST request to the /setup.cgi endpoint on the Trendnet TEW-657BRM router, targeting the add_wps_client function with a manipulated wl_enrolee_pin parameter.
For example, a test command could inject shell commands via the wl_enrolee_pin parameter to check for command execution. A proof of concept uses a payload like '; /bin/ls>/5.txt' to execute the ls command and write the output to a file named 5.txt on the device.
This requires basic authentication on the device and can be done remotely.
- Use a curl command to send a POST request with the malicious wl_enrolee_pin parameter, for example: curl -u <username>:<password> -X POST -d 'wl_enrolee_pin=; /bin/ls>/5.txt' http://<router-ip>/setup.cgi
- Check the device filesystem for the presence of the 5.txt file to confirm command execution.
What immediate steps should I take to mitigate this vulnerability?
Since the affected product, Trendnet TEW-657BRM version 1.00.1, has been discontinued and is no longer supported since June 23, 2011, no official patches or updates are available.
Immediate mitigation steps include removing the vulnerable device from the network or isolating it to prevent remote access.
Restrict access to the device's management interface, especially blocking remote access to the /setup.cgi endpoint.
Consider replacing the device with a supported and updated router model to ensure security.