CVE-2026-10162
Description
Stack-based buffer overflow in TRENDnet TEW-432BRP formSetPassword allows remote unauthenticated attackers to crash the device or execute arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in TRENDnet TEW-432BRP formSetPassword allows remote unauthenticated attackers to crash the device or execute arbitrary code.
Vulnerability
A stack-based buffer overflow exists in the formSetPassword function of the /goform/formSetPassword endpoint in TRENDnet TEW-432BRP firmware version 3.10B20. The webpage argument is copied directly to a stack buffer without length validation, allowing an attacker to overflow the buffer and overwrite the return address. This product has been end-of-life (EOL) since 2009 and is no longer supported by the vendor [1].
Exploitation
An attacker can exploit this vulnerability remotely by sending a crafted HTTP POST request to the vulnerable endpoint. No authentication is required if the device uses default credentials (as shown in the published PoC, which includes an Authorization header with base64-encoded admin:admin). The attacker supplies an overly long webpage parameter in the POST body, causing the stack overflow. The published proof-of-concept demonstrates a crash by sending a string of 870 'a' characters [1].
Impact
Successful exploitation allows an attacker to overwrite the return address on the stack, leading to arbitrary code execution with the privileges of the boa web server process. This can result in full compromise of the router, including disclosure of network traffic, modification of device settings, and use as a pivot for further attacks. At a minimum, the device crashes, causing denial of service [1].
Mitigation
No patch is available. The vendor has stated that the product has been EOL for 15 years (since 2009) and will not be fixed [1]. Users should replace the device with a supported model and isolate any remaining units from untrusted networks. There is no known workaround.
AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =3.10B20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation in the `formSetPassword` function allows a stack-based buffer overflow when the `webpage` argument is copied into a fixed-size stack buffer."
Attack vector
An unauthenticated attacker sends a crafted POST request to `/goform/formSetPassword` with an overly long `webpage` parameter. The researcher's PoC shows a POST body containing 870 bytes of `'a'` characters in the `webpage` field, which overflows the stack buffer and overwrites the return address [ref_id=1]. The attack is launched remotely over HTTP and requires no prior authentication (the PoC uses the default `admin:admin` credentials in the Authorization header).
Affected code
The vulnerability resides in the `formSetPassword` function inside the boa binary, specifically in the file `/goform/formSetPassword`. The `webpage` argument is copied directly into a stack-based local variable without any length check [ref_id=1].
What the fix does
No patch is available. The vendor states the product has been end-of-life since 2009 and will not be fixed [ref_id=1]. The researcher recommends that string content should be checked during input extraction to prevent the buffer overflow [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP requests to the router's management interface (typically on port 80).
- authThe PoC uses the default admin:admin credentials; if credentials have been changed, the attacker would need valid authentication.
Reproduction
Send a POST request to `http://<router-ip>/goform/formSetPassword` with a `webpage` parameter containing approximately 870 bytes of `'a'` characters. The researcher's exact PoC request includes additional form fields (`adm_pwd1`, `adm_pwd2`, `user_pwd1`, `user_pwd2`) and a Basic Authorization header with `YWRtaW46YWRtaW4=` (admin:admin) [ref_id=1]. The router will crash and become unresponsive.
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.