CVE-2026-15487
Received Received - Intake

Command Injection in TRENDnet TEW-821DAP Firmware

Vulnerability report for CVE-2026-15487, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulDB

Description

A vulnerability was found in TRENDnet TEW-821DAP 1.11B03. This impacts the function sub_41FBD0 of the file /goform/system_ntp of the component Firmware Update Handler. Performing a manipulation of the argument Hostname results in os command injection. The attack may be initiated remotely. The vendor explains: "We are unable to confirm the existence of the vulnerabilities for (...) TEW-821DAP (v1.0R) as these items have been EOL. " This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
trendnet tew-821dap to 1.0r (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a command injection flaw found in the firmware of the TRENDnet TEW-821DAP router, specifically version 1.11B03. It occurs in the Network Time Protocol (NTP) client configuration where the hostname parameter is taken from user input and directly used in a system command without proper validation or sanitization.

An attacker can exploit this by sending a specially crafted HTTP POST request to the /goform/system_ntp endpoint, injecting malicious commands into the hostname argument. These commands are then executed on the device, allowing the attacker to run arbitrary code remotely.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary commands on the affected router without authentication. This can lead to unauthorized control over the device, potentially allowing attackers to manipulate network traffic, steal sensitive information, disrupt network services, or use the device as a foothold for further attacks within the network.

Detection Guidance

This vulnerability can be detected by monitoring HTTP POST requests to the endpoint /goform/system_ntp on the Trendnet TEW-821DAP router. Specifically, look for suspicious or malformed Hostname parameters that might contain command injection payloads.

One way to detect exploitation attempts is to capture and analyze network traffic for POST requests targeting /goform/system_ntp with unusual Hostname values.

Example commands to detect such activity might include using network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint.

  • tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/system_ntp'
  • Use a web proxy or HTTP log analyzer to inspect POST data for the Hostname parameter containing suspicious characters or command injection patterns.
Mitigation Strategies

Since this vulnerability affects the Trendnet TEW-821DAP router firmware version 1.11B03 and the product is no longer supported by the vendor, immediate mitigation steps include:

  • Disable remote access to the router's management interface to prevent remote exploitation.
  • Block or restrict HTTP POST requests to the /goform/system_ntp endpoint at the network perimeter or firewall.
  • Monitor network traffic for suspicious activity targeting the vulnerable endpoint.
  • If possible, replace or upgrade the affected device to a supported model or firmware version without this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15487. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart