CVE-2026-5355
OS Command Injection in Trendnet TEW-657BRM vpn_drop Function
Publication date: 2026-04-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trendnet | tew-657brm_firmware | 1.00.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5355 is a remote OS command injection vulnerability in the Trendnet TEW-657BRM router, version 1.00.1. It exists in the vpn_drop function of the setup.cgi script. The vulnerability occurs because the vpn_drop function takes a user-supplied parameter called policy_name from HTTP requests and passes it directly to a command execution function without any input validation or sanitization.
This allows an attacker to remotely inject and execute arbitrary operating system commands on the affected device by manipulating the policy_name parameter. A proof-of-concept exploit demonstrates that sending a specially crafted POST request with shell commands embedded in the policy_name parameter causes the router to execute those commands.
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to execute arbitrary commands on the affected router without authorization. This could lead to unauthorized control over the device, potentially allowing the attacker to manipulate network traffic, disrupt network services, steal sensitive information, or use the device as a foothold for further attacks within the network.
Since the exploit details have been publicly disclosed, the risk of active exploitation is increased, especially because the affected product is no longer supported or patched by the vendor.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Trendnet TEW-657BRM router, version 1.00.1, is vulnerable to remote OS command injection via the vpn_drop function in /setup.cgi.
A practical detection method involves sending a crafted POST request to the /setup.cgi endpoint with the policy_name parameter containing shell commands to test if they get executed.
- Example command to test exploitation: curl -X POST http://<router-ip>/setup.cgi -d "policy_name=; /bin/ls>/4.txt&"
If the command is executed, it will create a file named '4.txt' on the device, indicating the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Since the affected product has been discontinued and is no longer supported since June 23, 2011, no official patches or updates are available.
Immediate mitigation steps include removing the vulnerable device from the network or isolating it to prevent remote access.
Alternatively, replace the device with a supported and updated router model to eliminate the risk.