Medium severity6.3NVD Advisory· Published May 31, 2026

CVE-2026-10180

Description

Command injection in TRENDnet TEW-432BRP router's formSysCmd function allows remote attackers to execute arbitrary OS commands via sysCmd parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Command injection in TRENDnet TEW-432BRP router's formSysCmd function allows remote attackers to execute arbitrary OS commands via sysCmd parameter.

Vulnerability

A command injection vulnerability exists in the formSysCmd function within the /goform/formSysCmd file of the TRENDnet TEW-432BRP router running firmware version 3.10B20 [1]. The function passes the sysCmd argument directly to the operating system without proper sanitization, enabling an attacker to inject arbitrary commands [1]. This product has been end-of-life since 2009 and is no longer supported by the vendor [1].

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted POST request to /goform/formSysCmd with a malicious sysCmd parameter [1]. The attacker does not need prior authentication beyond the default credentials which are commonly unchanged [1]. The proof-of-concept includes setting sysCmd to ` reboot ` to trigger a device reboot [1]. No user interaction is required, and the attack can be launched from the local network [1].

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands with the privileges of the web server process (likely root), leading to full compromise of the device [1]. This can result in denial of service, information disclosure, or further attacks on the network [1]. Because the product is end-of-life, no security updates are available [1].

Mitigation

No patch will be released by TRENDnet, as the TEW-432BRP has been end-of-life since 2009 and the vendor states they are unable to replicate or fix vulnerabilities [1]. The only recommended mitigation is to retire and replace the device with a currently supported model [1]. The device is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].

References

my_vuln/TRENDnet/vuln_17/17.md at main · wudipjq/my_vuln

AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Trendnet/TEW-632BRPllm-fuzzy
Range: = 3.10B20

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input validation in the formSysCmd function allows an attacker-supplied sysCmd parameter to be passed directly to the operating system without sanitization."

Attack vector

An unauthenticated attacker sends a crafted POST request to /goform/formSysCmd with a sysCmd parameter containing arbitrary shell commands (e.g., `reboot`). The router's boa web server passes the attacker-controlled sysCmd value directly to the OS for execution. The request requires only network access to the router's web interface and the default Basic authentication credentials (admin:admin) shown in the PoC [ref_id=1]. No additional privileges or special network position are needed beyond being able to reach the device.

Affected code

The vulnerable function is formSysCmd in the boa binary at the file path /goform/formSysCmd [ref_id=1]. The function passes the attacker-controlled sysCmd argument directly to the operating system without any sanitization or validation.

What the fix does

No patch is available. The vendor states the product has been end-of-life since 2009 and will not be fixed [ref_id=1]. The researcher recommends that string content should be checked in the input extraction portion of the code to prevent command injection [ref_id=1]. Without a patch, the only remediation is to replace or isolate the device.

Preconditions

networkAttacker must have network access to the router's web interface (typically LAN or exposed WAN port).
authThe PoC uses Basic authentication with default credentials (admin:admin), though the advisory does not specify whether authentication is enforced.

Reproduction

Send a POST request to http://<router-ip>/goform/formSysCmd with body `sysCmd=\`reboot\`&apply=Apply&submit-url=%2Fshell.asp&msg=` and appropriate Basic auth header. The router will execute the injected command (e.g., reboot) [ref_id=1].

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

6.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

1.08%

VYPR risk score

Composite of severity, exploitation, and reach.

0.41medium

cvss	0.410
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVE ID

CVE-2026-10180

Credits

P(
pjq_Buoy (VulDB User)
reporter
VC
VulDB CNA Team
coordinator