CVE-2026-10120
Description
A vulnerability was detected in TRENDnet TEW-432BRP 3.10B20. The affected element is the function formSetFirewallRule of the file /goform/formSetFirewallRule. The manipulation of the argument firewall_name results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack-based buffer overflow in TRENDnet TEW-432BRP firmware 3.10B20 allows remote unauthenticated attackers to execute arbitrary code via a crafted firewall_name parameter.
Vulnerability
The vulnerability is a stack-based buffer overflow in the formSetFirewallRule function within the /goform/formSetFirewallRule file of TRENDnet TEW-432BRP firmware version 3.10B20. The firewall_name parameter is copied directly to a stack buffer without length validation, causing a buffer overflow when an overly long string is supplied. The product has been end-of-life since 2009 and is no longer supported by the vendor [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP POST request to /goform/formSetFirewallRule with an excessively long firewall_name value. The provided proof-of-concept demonstrates a crash using a string of 'a' characters. The attack requires network access to the router's web interface; the PoC uses default credentials (admin:admin), indicating no prior authentication is necessary. The overflow overwrites the return address on the stack, enabling arbitrary code execution [1].
Impact
Successful exploitation allows remote code execution with the privileges of the web server (typically root). This can lead to full compromise of the router, including data exfiltration, network pivoting, or incorporation into botnets. The exploit is publicly available and actively used [1].
Mitigation
The vendor has confirmed that the product is end-of-life since 2009 and will not release a fix. Users should replace the device with a supported model. No workaround exists. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].
AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =3.10B20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation in the formSetFirewallRule function allows a stack-based buffer overflow via the firewall_name parameter."
Attack vector
An unauthenticated attacker sends a crafted HTTP POST request to `/goform/formSetFirewallRule` with an overly long `firewall_name` parameter. The input is directly copied to a stack buffer without bounds checking, overwriting the return address and allowing arbitrary code execution. The attack is remotely exploitable over the network [ref_id=1].
Affected code
The vulnerability resides in the `formSetFirewallRule` function inside the `boa` binary, specifically in the file `/goform/formSetFirewallRule`. The argument `firewall_name` is copied to a stack-based local variable without any length check, leading to a stack-based buffer overflow.
What the fix does
No patch is available. The vendor states the product has been end-of-life for 15 years (since 2009) and will not replicate or fix any vulnerabilities. The researcher recommends checking string content length during input extraction to prevent the overflow [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP requests to the router's web interface.
- authNo authentication is required; the PoC uses Basic auth credentials but the overflow occurs before any authorization check.
Reproduction
Send a POST request to `/goform/formSetFirewallRule` with a `firewall_name` parameter containing a long string of 'a' characters (e.g., 1067 bytes). The router will crash and become unresponsive [ref_id=1].
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.