CVE-2026-5354
OS Command Injection in Trendnet TEW-657BRM VPN Connect Function
Publication date: 2026-04-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trendnet | tew-657brm_firmware | 1.00.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-5354 vulnerability affects the Trendnet TEW-657BRM router, version 1.00.1. It is a remote OS command injection vulnerability located in the setup.cgi script, specifically within the vpn_connect function.
The vulnerability arises because the vpn_connect function retrieves the user-supplied parameter "policy_name" from an HTTP request and passes it directly to the SYSTEM function without any input validation or sanitization.
This allows an attacker to inject arbitrary OS commands remotely by manipulating the "policy_name" parameter.
The exploit requires authentication (Basic Auth with admin credentials) and has been publicly disclosed, increasing the risk of active exploitation.
How can this vulnerability impact me? :
This vulnerability allows a remote attacker with admin credentials to execute arbitrary operating system commands on the affected device.
Successful exploitation could lead to unauthorized control over the router, potentially compromising network security, disrupting network services, or enabling further attacks within the network.
However, the affected product has been discontinued and end-of-life since June 23, 2011, and no support or patches are available.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a crafted POST request to the /setup.cgi endpoint targeting the vpn_connect function with a manipulated "policy_name" parameter that includes shell commands.
For example, a test command could be sending a POST request with the parameter: policy_name=; /bin/ls>/3.txt& to check if arbitrary commands are executed on the device.
Note that the exploit requires authentication using Basic Auth with admin credentials.
What immediate steps should I take to mitigate this vulnerability?
Since the affected product, Trendnet TEW-657BRM version 1.00.1, has been discontinued and end-of-life since June 23, 2011, no official patches or support are available.
Immediate mitigation steps include removing or isolating the vulnerable device from the network to prevent remote exploitation.
Additionally, restrict access to the device's management interface, especially blocking remote access and enforcing strong authentication controls.
Consider replacing the device with a supported and updated model to ensure ongoing security.