CVE-2026-15481
Received Received - Intake

Command Injection in Trendnet TEW-635BRM Router

Vulnerability report for CVE-2026-15481, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulDB

Description

A security flaw has been discovered in Trendnet TEW-635BRM up to 1.00.03. This vulnerability affects the function ipoa_test of the file /sbin/rc of the component IPoA WAN Connection Setup. Performing a manipulation of the argument ipoa_ipaddr results in command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor explains: "We are unable to confirm if the vulnerability exists. This item has been EOL since 2011. We will make an official announcement of possible vulnerabilities, and recommend users to switch devices." This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
trendnet tew-635brm to 1.00.03 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The TRENDnet TEW-635BRM router, running firmware version V1.00.03, contains a command injection vulnerability in the `/sbin/rc` binary. The vulnerable function, `ipoa_test`, is triggered during IPoA (IP over ATM) WAN connection setup.

This function retrieves the NVRAM variable `ipoa_ipaddr` without sanitization and embeds it directly into a shell command using `sprintf()`, which is then executed via `system()`. Since `ipoa_ipaddr` is fully attacker-controlled, malicious actors can inject shell metacharacters (such as `;` or backticks) to execute arbitrary commands as root, leading to complete device compromise.

The attack requires write access to NVRAM, which can be achieved by modifying and uploading a configuration file through the web interface.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary commands on the affected device with root privileges remotely. This can lead to complete compromise of the router.

  • Unauthorized control over the device
  • Potential interception or manipulation of network traffic
  • Use of the compromised device as a pivot point for further attacks within the network
  • Disruption of network services or denial of service
Detection Guidance

This vulnerability can be detected by checking if the device is running the vulnerable firmware version V1.00.03 of the TRENDnet TEW-635BRM router. Since the vulnerability involves command injection via the NVRAM variable ipoa_ipaddr, one detection method is to verify if arbitrary commands can be injected and executed through manipulation of this variable.

A proof of concept involves injecting a command that creates a file (e.g., /tmp/poc_result) with a confirmation message. This can be tested by modifying and uploading a configuration file through the web interface that sets the ipoa_ipaddr variable to include shell metacharacters such as ";" or backticks to execute commands.

  • Check the firmware version of the device to confirm if it is V1.00.03.
  • Attempt to inject a command via the ipoa_ipaddr NVRAM variable by uploading a configuration file through the web interface.
  • Verify if a file like /tmp/poc_result is created on the device, indicating successful command injection.
Mitigation Strategies

Immediate mitigation steps include switching to a different device since the affected product is end-of-life and no official patches are available.

If continuing to use the device, restrict access to the web interface to prevent unauthorized modification of NVRAM variables.

Apply network-level protections such as firewall rules to block remote access to the device's management interfaces.

Avoid using the vulnerable function by disabling IPoA WAN connection setup if possible.

Long term, the vendor recommends switching devices as no official fix is provided.

Compliance Impact

The vulnerability allows remote command injection leading to complete device compromise, which could result in unauthorized access to sensitive data or disruption of services.

Such a compromise may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and maintaining system integrity.

However, the affected device is end-of-life since 2011 and no longer supported, which complicates mitigation and may increase compliance risks if still in use.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15481. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart