CVE-2026-10123
Description
A vulnerability was found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetDomainFilter of the file /goform/formSetDomainFilter. Performing a manipulation of the argument blocked_domain/permitted_domain/blocked_domain_list/permitted_domain_list results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in TRENDnet TEW-432BRP firmware 3.10B20 via formSetDomainFilter allows remote unauthenticated attackers to execute arbitrary code; product end-of-life since 2009, no fix available.
Vulnerability
A stack-based buffer overflow vulnerability exists in the formSetDomainFilter function of the TRENDnet TEW-432BRP router firmware version 3.10B20. The function is accessible via the /goform/formSetDomainFilter endpoint and accepts the arguments blocked_domain, permitted_domain, blocked_domain_list, and permitted_domain_list without proper length validation. When an attacker supplies overly long input for any of these parameters, the data is copied directly to a local stack buffer, overwriting the return address and causing a buffer overflow [1].
Exploitation
An unauthenticated remote attacker can trigger the vulnerability by sending a crafted POST request to /goform/formSetDomainFilter with a long string in one of the vulnerable parameters (e.g., blocked_domain_list). The public proof-of-concept demonstrates a crash by sending a string of repeated a characters; an attacker can control the overflow to achieve arbitrary code execution. The router uses default credentials (admin:admin), making the attack trivial if the device is exposed [1].
Impact
Successful exploitation allows an attacker to cause a denial of service (device crash) or execute arbitrary code with root privileges on the router. This can lead to full compromise of the network device, enabling data exfiltration, malware installation, or use as a pivot point for further attacks. The product is end-of-life, so no security updates will be provided [1].
Mitigation
The vendor has confirmed that the TRENDnet TEW-432BRP has been end-of-life since 2009 and will not release a patch for this vulnerability. No workaround is available. The only effective mitigation is to replace the device with a supported model that receives security updates. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 3.10B20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation in the formSetDomainFilter function allows a stack-based buffer overflow."
Attack vector
An unauthenticated remote attacker sends a crafted HTTP POST request to `/goform/formSetDomainFilter` with an overly long value in one of the four parameters (`blocked_domain`, `permitted_domain`, `blocked_domain_list`, `permitted_domain_list`). The input is copied onto the stack without bounds checking, overwriting the return address and enabling arbitrary code execution [ref_id=1]. The attack requires network access to the router's web interface but no authentication (the PoC includes a hardcoded Basic Authorization header, but the advisory does not state that authentication is enforced).
Affected code
The vulnerability resides in the `formSetDomainFilter` function inside the `/goform/formSetDomainFilter` handler of the TRENDnet TEW-432BRP firmware version 3.10B20. The parameters `blocked_domain`, `permitted_domain`, `blocked_domain_list`, and `permitted_domain_list` are copied directly into a stack buffer without length checking, leading to a stack-based buffer overflow [ref_id=1].
What the fix does
No patch is available. The vendor states the product has been end-of-life since 2009 and will not be fixed [ref_id=1]. The researcher recommends that string content be validated during input extraction to prevent the overflow. Without a patch, the only mitigation is to replace or isolate the device.
Preconditions
- networkNetwork access to the router's web interface (port 80/443).
- configThe product is the TRENDnet TEW-432BRP running firmware version 3.10B20, which is end-of-life and unsupported.
Reproduction
Send an HTTP POST request to `http://<router-ip>/goform/formSetDomainFilter` with a long `blocked_domain_list` parameter (e.g., 900+ 'a' characters) as shown in the PoC [ref_id=1]. The router will crash and become unresponsive.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.