CVE-2026-10160
Description
Stack-based buffer overflow in TRENDnet TEW-432BRP's formSetEnableWizard allows remote unauthenticated attackers to crash the device or execute arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in TRENDnet TEW-432BRP's formSetEnableWizard allows remote unauthenticated attackers to crash the device or execute arbitrary code.
Vulnerability
A stack-based buffer overflow vulnerability exists in the formSetEnableWizard function within the /goform/formSetEnableWizard endpoint of the TRENDnet TEW-432BRP router running firmware version 3.10B20 [1]. The function copies the attacker-controlled webpage parameter into a stack-based buffer without length validation, leading to a buffer overflow [1]. This product has been end-of-life (EOL) since 2009, and the vendor states they cannot replicate or fix the issue [1].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted POST request to /goform/formSetEnableWizard with an overly long webpage parameter [1]. The PoC demonstrates that a long string of 'a' characters (e.g., 837 bytes) triggers the overflow [1]. The request uses basic authentication (default credentials admin:admin), but no other user interaction is required [1].
Impact
Successful exploitation can cause the router to crash, resulting in denial of service. More critically, the overflow overwrites the return address on the stack, allowing an attacker to achieve arbitrary code execution with the privileges of the boa web server process, likely root [1].
Mitigation
No patch or fix is available because the TRENDnet TEW-432BRP is end-of-life and no longer supported [1]. Users should replace the device with a currently supported model. As a temporary workaround, restrict network access to the router's web interface to trusted hosts only [1].
AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 3.10B20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation in the `formSetEnableWizard` function allows a stack-based buffer overflow via the `webpage` parameter."
Attack vector
An unauthenticated attacker sends a crafted POST request to `/goform/formSetEnableWizard` with an overly long `webpage` argument [ref_id=1]. The request is sent over HTTP to the router's web interface, typically at `192.168.10.1` [ref_id=1]. Because the input is not validated, the long string overflows the stack buffer, overwriting the return address and causing a crash or potentially arbitrary code execution [ref_id=1].
Affected code
The vulnerability resides in the `formSetEnableWizard` function within the file `/goform/formSetEnableWizard` of the boa binary on the TRENDnet TEW-432BRP (firmware version 3.10B20) [ref_id=1]. The function copies the attacker-supplied `webpage` parameter directly into a local stack variable without any length check [ref_id=1].
What the fix does
No patch is available. The vendor states the product has been end-of-life since 2009 and will not replicate or fix any vulnerabilities [ref_id=1]. The researcher recommends that string content should be checked during input extraction to prevent the overflow [ref_id=1]. Users are advised to replace the device with a supported model.
Preconditions
- networkThe attacker must have network access to the router's web interface (typically on the LAN at 192.168.10.1).
- authNo authentication is required; the PoC includes a Basic Authorization header but the advisory does not state authentication is a barrier.
- inputThe attacker sends a POST request with a `webpage` parameter exceeding the stack buffer size.
Reproduction
Send a POST request to `http://192.168.10.1/goform/formSetEnableWizard` with a long `webpage` parameter. The following curl command reproduces the crash:
``` curl -X POST http://192.168.10.1/goform/formSetEnableWizard \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Authorization: Basic YWRtaW46YWRtaW4=" \ -d "next=Next+%3E&start_wizard=0&webpage=$(python3 -c 'print(\"a\"*800)')" ```
The router will crash and become unresponsive [ref_id=1].
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.