CVE-2026-10119
Description
A security vulnerability has been detected in TRENDnet TEW-432BRP 3.10B20. Impacted is the function formSetMACFilter of the file /goform/formSetMACFilter. The manipulation of the argument filter_name leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in TRENDnet TEW-432BRP 3.10B20's formSetMACFilter allows remote attackers to crash the device or execute arbitrary code.
Vulnerability
A stack-based buffer overflow vulnerability exists in the formSetMACFilter function of the /goform/formSetMACFilter endpoint on TRENDnet TEW-432BRP routers running firmware version 3.10B20. The filter_name parameter is copied directly into a stack buffer without length validation, allowing an oversized input to overwrite adjacent memory including the return address. This product has been end-of-life (EOL) since 2009 and is no longer supported by the vendor [1].
Exploitation
An attacker with network access to the router's web interface can exploit this vulnerability by sending a crafted POST request to /goform/formSetMACFilter with an excessively long filter_name value. The reference PoC demonstrates a request using default administrator credentials (admin:admin), but the function may be reachable without authentication depending on configuration. The overflow triggers a crash or can be leveraged for code execution by controlling the overwritten return address [1].
Impact
Successful exploitation allows an attacker to cause a denial of service (device crash) or achieve arbitrary code execution with the privileges of the web server process (typically root). This could lead to full compromise of the router, including interception or modification of network traffic, and use as a pivot point for further attacks on the local network.
Mitigation
No patch is available. The vendor has stated that the TEW-432BRP has been EOL for 15 years (since 2009) and they are unable to replicate or fix any vulnerabilities. Users should replace the device with a supported model as soon as possible. There is no known workaround. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 3.10B20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation in formSetMACFilter allows a stack-based buffer overflow via the filter_name parameter."
Attack vector
An attacker sends a crafted HTTP POST request to `/goform/formSetMACFilter` with an overly long `filter_name` parameter. The request requires authentication (Basic auth credentials are included in the PoC). Because the input is not validated, the oversized `filter_name` overwrites the return address on the stack, enabling arbitrary code execution. The attack is remotely exploitable over the network [ref_id=1].
Affected code
The vulnerability resides in the `formSetMACFilter` function inside the boa binary at `/goform/formSetMACFilter`. The `filter_name` parameter is copied directly to a stack buffer without length checking, leading to a stack-based buffer overflow.
What the fix does
No patch is available. The vendor states the product has been end-of-life since 2009 and will not be fixed. The researcher recommends checking the string content length during input extraction to prevent the overflow [ref_id=1]. Without a fix, users must discontinue use of the affected device.
Preconditions
- networkAttacker must have network access to the router's web interface
- authAttacker must provide valid HTTP Basic authentication credentials (default credentials shown in PoC)
Reproduction
Send an HTTP POST request to `/goform/formSetMACFilter` with a `filter_name` value consisting of many 'a' characters (e.g., 956 bytes as shown in the PoC). The router will crash and become unresponsive [ref_id=1].
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.