CVE-2026-15485
Received Received - Intake

Command Injection in TRENDnet TEW-821DAP

Vulnerability report for CVE-2026-15485, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulDB

Description

A flaw has been found in TRENDnet TEW-821DAP 1.11B03. The impacted element is the function sub_43F2C4 of the file /goform/tools_nslookup of the component DNS Lookup Handler. This manipulation of the argument nslookup_target/dns_server causes os command injection. The attack can be initiated remotely. The vendor explains: "We are unable to confirm the existence of the vulnerabilities for (...) TEW-821DAP (v1.0R) as these items have been EOL. " This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
trendnet tew-821dap 1.11b03
trendnet tew-821dap 1.0r

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15485 is a command injection vulnerability found in the Trendnet TEW-821DAP router firmware version 1.11B03. The flaw exists in the DNS Lookup Handler component, specifically in the function sub_43F2C4 within the /goform/tools_nslookup endpoint. User-supplied inputs, nslookup_target and dns_server, are not properly validated and are directly concatenated into a system command. This allows an attacker to remotely inject and execute arbitrary operating system commands on the device.

Impact Analysis

This vulnerability can allow a remote attacker to execute arbitrary commands on the affected router without authentication. This could lead to unauthorized control over the device, enabling actions such as altering configurations, intercepting or redirecting network traffic, deploying malware, or using the device as a foothold for further attacks within the network.

Detection Guidance

This vulnerability can be detected by monitoring for HTTP POST requests to the endpoint /goform/tools_nslookup on the Trendnet TEW-821DAP router. Such requests may contain manipulated parameters nslookup_target or dns_server that attempt to inject OS commands.

To detect exploitation attempts, you can capture and analyze network traffic for suspicious POST requests targeting /goform/tools_nslookup.

Example commands to detect such activity include:

  • Using tcpdump to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/tools_nslookup'
  • Using grep on web server logs to find POST requests to /goform/tools_nslookup: grep 'POST /goform/tools_nslookup' /var/log/httpd/access.log
  • Inspecting parameters nslookup_target and dns_server in captured requests for suspicious characters or command injection patterns.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint /goform/tools_nslookup to trusted users only, such as by implementing network-level access controls or firewall rules.

Since the affected product (Trendnet TEW-821DAP) is no longer supported and no vendor patch is available, disabling or blocking the DNS Lookup Handler functionality if possible is recommended.

Monitoring and blocking suspicious HTTP POST requests to /goform/tools_nslookup can help prevent exploitation.

Consider isolating the device from untrusted networks to reduce exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15485. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart