CVE-2026-10179
Description
Stack-based buffer overflow in TRENDnet TEW-432BRP formSetWlanEncrypt allows remote unauthenticated arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in TRENDnet TEW-432BRP formSetWlanEncrypt allows remote unauthenticated arbitrary code execution.
Vulnerability
A stack-based buffer overflow exists in the TRENDnet TEW-432BRP router firmware version 3.10B20 within the /goform/formSetWlanEncrypt endpoint. The webpage argument is copied directly into a stack-based buffer without length validation, leading to a controlled overflow that overwrites the return address [1]. The product has been end-of-life (EOL) since 2009, and no patches are available.
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP POST request to /goform/formSetWlanEncrypt with an excessively long webpage parameter. The proof-of-concept demonstrates a request using default administrator credentials (admin:admin) that crashes the device when the payload is longer than the buffer [1]. No additional privileges or user interaction are required.
Impact
Successful exploitation allows an attacker to overwrite the return address and achieve arbitrary code execution on the affected router. This compromises the confidentiality, integrity, and availability of the device, giving the attacker full control over network traffic and device settings [1].
Mitigation
No fix is provided because the product has been EOL for over 15 years and the vendor will not reproduce or patch the issue [1]. Users should replace the TRENDnet TEW-432BRP with a supported device. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 3.10B20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation in the formSetWlanEncrypt function allows an attacker-supplied webpage parameter to be copied directly into a fixed-size stack buffer, causing a stack-based buffer overflow."
Attack vector
An authenticated attacker sends a crafted HTTP POST request to the endpoint /goform/formSetWlanEncrypt with an overly long webpage parameter [ref_id=1]. The parameter value is copied without bounds checking into a local stack buffer, overwriting the return address and adjacent stack data [CWE-121]. The attack is remotely exploitable over the network and requires only low-privilege authentication (HTTP Basic auth) [ref_id=1]. A successful overflow can crash the router or enable arbitrary code execution.
Affected code
The vulnerable function is `formSetWlanEncrypt` in the boa binary at the file path `/goform/formSetWlanEncrypt` [ref_id=1]. The `webpage` parameter is copied directly into a local stack variable without any length check, causing the overflow [ref_id=1].
What the fix does
No patch is available. The vendor states the product (TEW-432BRP) has been end-of-life since 2009 and will not be fixed [ref_id=1]. The researcher recommends that string content length be checked during input extraction to prevent the overflow [ref_id=1]. Users should replace the device with a supported model, as no remediation will be provided.
Preconditions
- networkAttacker must have network access to the router's web interface (typically LAN or exposed WAN).
- authAttacker must authenticate with valid HTTP Basic credentials (default credentials are often admin/admin).
- inputThe vulnerable endpoint /goform/formSetWlanEncrypt must be reachable.
Reproduction
Send an HTTP POST request to `http://<router-ip>/goform/formSetWlanEncrypt` with a `webpage` parameter containing a long string of 'a' characters (e.g., 500+ bytes). The researcher's PoC uses a POST body with `webpage=aaa...a` (approximately 1000 'a' characters) along with other form fields [ref_id=1]. The router will crash and become unresponsive, requiring a power cycle to recover [ref_id=1].
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.