CVE-2026-10060
Description
A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetRoute of the file /goform/formSetRoute. The manipulation of the argument ip/mask/gateway leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in TRENDnet TEW-432BRP router's formSetRoute function allows remote attackers to execute arbitrary commands via crafted ip/mask/gateway parameters.
Vulnerability
A command injection vulnerability exists in the formSetRoute function of the TRENDnet TEW-432BRP router running firmware version 3.10B20. The function, located at /goform/formSetRoute, does not sanitize user-supplied input for the ip, mask, and gateway parameters before passing them to a system command. This allows an attacker to inject arbitrary OS commands. The product has been end-of-life since 2009 and is no longer supported by the vendor [1].
Exploitation
An attacker with network access to the router's web interface can exploit this vulnerability by sending a crafted POST request to /goform/formSetRoute. The PoC demonstrates injecting a command using backticks in the ip parameter (e.g., ip=192.168.100.0 \reboot\`). The request requires authentication; default credentials (admin:admin`) are commonly used. No user interaction beyond the initial request is needed [1].
Impact
Successful exploitation results in remote command execution with root privileges on the router. The attacker can execute arbitrary commands, leading to full device compromise, including data exfiltration, modification of configuration, denial of service, or use as a pivot for further network attacks [1].
Mitigation
No patch is available. The vendor has stated that the product is end-of-life and will not receive any fixes. Users are advised to replace the TEW-432BRP with a supported device. No workaround is provided. This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 3.10B20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `formSetRoute` function passes user-controlled `ip`, `mask`, and `gateway` parameters directly to an OS shell without any sanitization, enabling command injection."
Attack vector
An unauthenticated attacker (or one with basic credentials) sends a crafted POST request to `/goform/formSetRoute` with a payload embedded in the `ip`, `mask`, or `gateway` parameter. The PoC demonstrates injecting backtick-enclosed commands (e.g., `` `reboot` ``) into the `ip` field, which the router's firmware then executes as OS commands. The attack is remote and requires no special privileges beyond network access to the device's web interface. [ref_id=1]
Affected code
The vulnerability resides in the `formSetRoute` function inside the `boa` binary, specifically in the file `/goform/formSetRoute`. The arguments `ip`, `mask`, and `gateway` are passed directly from the HTTP request without sanitization, allowing an attacker to inject arbitrary OS commands. [ref_id=1]
What the fix does
No patch is available. The vendor states the product has been end-of-life since 2009 and will not be fixed. The researcher recommends that string content should be validated during input extraction to prevent command injection. Without a patch, users must isolate or decommission the affected device. [ref_id=1]
Preconditions
- networkThe attacker must have network access to the router's web interface (typically on port 80/443).
- inputThe attacker must be able to send HTTP POST requests to /goform/formSetRoute.
Reproduction
Send a POST request to `http://<router-ip>/goform/formSetRoute` with a body such as `edit_row=-1&ip=192.168.100.0%20%60reboot%60&mask=255.255.255.0&gateway=192.168.10.50&iface=0&metric=1&add=Add&webpage=routing_static.asp&cur_ipaddr=192.168.10.1&cur_netmask=255.255.255.0&Action=`. The router will execute the injected `reboot` command. [ref_id=1]
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.