TRENDnet TEW-432BRP: 15 Remote Flaws Disclosed, Product is End-of-Life

Key findings

13 of 15 CVEs are stack-based buffer overflows (CVSS 8.8) in the router's /goform/ CGI handlers
2 command-injection flaws found in formWPS and formSetRoute functions
All vulnerabilities affect TEW-432BRP firmware 3.10B20, an end-of-life product
TRENDnet states the product is EOL and no patches will be released
Public exploit code is available for every disclosed CVE
Users must replace the device; no firmware fix is coming

Fifteen vulnerabilities were disclosed together for the TRENDnet TEW-432BRP (also referenced as TEW-632BRP) router running firmware version 3.10B20, the bulk of them high-severity stack-based buffer overflows that can be triggered remotely with publicly available exploit code. The batch, published between May 29 and May 31, 2026, reveals a systemic lack of input validation across the device's web-based management interface, putting users at risk of remote code execution and device compromise.

Stack-Based Buffer Overflows Dominate the Batch

Thirteen of the fifteen CVEs are stack-based buffer overflow flaws, all rated High (CVSSv3 8.8) except for one Medium (6.3). The vulnerabilities span nearly every administrative function exposed through the router's /goform/ CGI endpoints. An attacker with network access to the management interface can overflow fixed-size buffers by sending oversized arguments, potentially hijacking execution flow.

The affected functions and their corresponding CVE IDs are:

Password management: formSetPassword (CVE-2026-10162)
Statistics reset: formResetStatistic (CVE-2026-10161)
Wizard enable: formSetEnableWizard (CVE-2026-10160)
System log: formSysLog (CVE-2026-10159)
Port forwarding: formPortFw (CVE-2026-10158)
Domain filtering: formSetDomainFilter (CVE-2026-10123)
Protocol filtering: formSetProtocolFilter (CVE-2026-10122)
URL filtering: formSetUrlFilter (CVE-2026-10121)
Firewall rules: formSetFirewallRule (CVE-2026-10120)
MAC filtering: formSetMACFilter (CVE-2026-10119)
Port triggering: formSetPortTr (CVE-2026-10064)
WPS configuration: formWPS (CVE-2026-10063)
Routing table: formSetRoute (CVE-2026-10062)

Each of these functions accepts user-supplied data — such as webpage, server_name, firewall_name, peerPin, or ip/mask/gateway — and copies it into a fixed stack buffer without bounds checking. The descriptions for every overflow CVE note that the exploit has been published and may be used.

Command Injection in Two Functions

Two additional vulnerabilities, rated Medium (CVSSv3 6.3), involve command injection rather than buffer overflow. Both affect the same firmware version 3.10B20:

CVE-2026-10061 — command injection in the formWPS function via the peerPin argument.
CVE-2026-10060 — command injection in the formSetRoute function via the ip/mask/gateway arguments.

While the CVSS scores are lower, command injection can be equally dangerous, allowing an attacker to execute arbitrary operating-system commands on the router.

Vendor Response and Patch Status

TRENDnet has acknowledged the vulnerabilities. For CVE-2026-10061, the vendor's official statement reads: "This product has been End of Life and is no longer supported." The TEW-432BRP (and its variant TEW-632BRP) running firmware 3.10B20 is a legacy device that has reached end-of-life (EOL) status. No firmware patch will be issued for any of the 15 CVEs. Users are advised to replace the device with a supported model.

Impact and Exploitation Context

All 15 vulnerabilities are remotely exploitable without authentication, according to the CVE descriptions. With public exploit code already available for each flaw, the barrier to weaponization is low. An attacker who compromises the router could intercept or redirect traffic, install persistent malware, or use the device as a pivot point into the local network.

Given the EOL status and the absence of patches, every TEW-432BRP and TEW-632BRP unit still in service is effectively a permanent security risk. Users should prioritize replacing these routers immediately.