CVE-2026-10061
Description
A vulnerability was found in TRENDnet TEW-432BRP 3.10B20. Affected is the function formWPS of the file /goform/formWPS. The manipulation of the argument peerPin results in command injection. The attack can be executed remotely. The exploit has been made public and could be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TRENDnet TEW-432BRP 3.10B20 has a command injection vulnerability in the formWPS function via the peerPin argument, allowing remote unauthenticated exploitation.
Vulnerability
A command injection vulnerability exists in the formWPS function within the /goform/formWPS endpoint of the TRENDnet TEW-432BRP router firmware version 3.10B20. The peerPin argument is passed directly from the HTTP request to the underlying operating system without sanitization, enabling an attacker to inject arbitrary system commands. No authentication is required to access the vulnerable endpoint. [1]
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP POST request to /goform/formWPS with the peerPin parameter containing a malicious command enclosed in backticks (e.g., ` reboot ). The attacker must be able to reach the router's web interface over the network. No prior authentication is needed, and the exploit is straightforward to execute. A public proof-of-concept (PoC) demonstrates that supplying reboot as the peerPin` value causes the router to reboot immediately. [1]
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the affected device with root privileges. This leads to a complete compromise of confidentiality, integrity, and availability. Potential outcomes include device reboot, configuration changes, disabling security features, exfiltration of sensitive data, or using the router as a foothold for further network attacks.
Mitigation
The vendor has declared the TRENDnet TEW-432BRP product end-of-life (EOL) since 2009 and stated that no patch or fix will be issued. Users who still operate this device should immediately replace it with a supported and patched model, as no workaround exists. This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 3.10B20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The formWPS function passes the attacker-controlled peerPin argument directly to an OS command without sanitization, enabling command injection."
Attack vector
An authenticated attacker sends a POST request to `/goform/formWPS` with the `peerPin` parameter containing shell metacharacters (e.g., backticks). The router executes the injected command as the `boa` process, enabling arbitrary command execution. The PoC demonstrates injecting `` `reboot` `` to trigger a reboot [ref_id=1]. The CVSS vector indicates network-based, low-privilege exploitation.
Affected code
The vulnerability resides in the `formWPS` function inside the boa binary, reachable via the `/goform/formWPS` endpoint. The `peerPin` argument is passed directly from the HTTP request to an OS command without sanitization.
What the fix does
No patch is available. The vendor states the product has been end-of-life since 2009 and will not be fixed [ref_id=1]. The researcher recommends that string content be validated during input extraction to prevent command injection, but no code change has been published.
Preconditions
- networkAttacker must have network access to the router's web interface
- authAttacker must authenticate (basic auth credentials in PoC: admin/admin)
- inputThe peerPin parameter must be controllable via POST body
Reproduction
Send a POST request to `http://<router-ip>/goform/formWPS` with body `enable=on&peerPin=\`reboot\`&setPIN=Start+PIN&webpage=wlan_wps.asp&wpsAction=pin` and appropriate Basic Authorization header. The router will execute the `reboot` command [ref_id=1].
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.