CVE-2026-10180
Command Injection in TRENDnet TEW-432BRP
Publication date: 2026-05-31
Last updated on: 2026-05-31
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trendnet | tew-432brp | 3.10b20 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10180 is a command injection vulnerability found in the TRENDnet TEW-432BRP router, specifically in the formSysCmd function accessed via the /goform/formSysCmd endpoint.
An attacker can send a specially crafted HTTP POST request containing a manipulated sysCmd parameter that the device executes without proper input validation.
This allows the attacker to execute arbitrary commands on the device remotely, such as rebooting the router, leading to potential system compromise.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary commands on the affected TRENDnet router, which can lead to unauthorized control over the device.
Potential impacts include disruption of network services (e.g., forced reboot), compromise of the routerβs integrity, and possibly further exploitation of the network connected to the device.
Since the device is no longer supported or patched by the vendor, the risk remains unmitigated.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP POST requests sent to the `/goform/formSysCmd` endpoint containing the `sysCmd` parameter with suspicious or unexpected values.
A practical detection method is to capture network traffic and look for POST requests targeting `/goform/formSysCmd` with parameters that attempt to inject commands, such as `sysCmd=reboot` or other shell commands.
For example, using command-line tools like curl or network monitoring tools, you can check if such requests are being made.
- Use tcpdump or Wireshark to filter HTTP POST requests to `/goform/formSysCmd`.
- Example tcpdump command: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/formSysCmd'`
- Use curl to test manually: `curl -X POST http://<device-ip>/goform/formSysCmd -d 'sysCmd=reboot'` to see if the device executes the command.
What immediate steps should I take to mitigate this vulnerability?
Since the affected TRENDnet TEW-432BRP device is end-of-life and no patches or fixes are available, immediate mitigation steps focus on limiting exposure and preventing exploitation.
- Isolate the vulnerable device from untrusted networks, especially the internet.
- Disable remote management or access to the device's web interface if possible.
- Implement network-level controls such as firewall rules to block incoming HTTP POST requests to `/goform/formSysCmd`.
- Monitor network traffic for suspicious requests targeting the vulnerable endpoint.
Ultimately, consider replacing the device with a supported model to ensure security updates and patches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.