VYPR
← All advisories
High severity8.8NVD Advisory· Published May 31, 2026

CVE-2026-10181

CVE-2026-10181

Description

TRENDnet TEW-432BRP firmware 3.10B20 has a stack-based buffer overflow in formSysCmd via submit-url, allowing remote unauthenticated code execution on an EOL router.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TRENDnet TEW-432BRP firmware 3.10B20 has a stack-based buffer overflow in formSysCmd via submit-url, allowing remote unauthenticated code execution on an EOL router.

Vulnerability

A stack-based buffer overflow vulnerability exists in the formSysCmd function of the /goform/formSysCmd file in TRENDnet TEW-432BRP firmware version 3.10B20. The submit-url argument is directly copied to a local stack buffer without bounds checking, enabling an overflow that can overwrite the return address [1]. The affected product is end-of-life and no longer supported by the vendor.

Exploitation

An unauthenticated attacker can exploit this remotely by sending a crafted HTTP POST request to /goform/formSysCmd with an overly long submit-url parameter. The proof-of-concept demonstrates sending 838 bytes of 'a' characters in the submit-url field, which causes the router to crash [1]. The request requires no prior authentication, and the attacker only needs network access to the router's management interface.

Impact

Successful exploitation allows the attacker to execute arbitrary code on the device, effectively gaining full control of the router. The overflow overwrites the return address, enabling remote code execution (RCE) at the privilege level of the boa web server process. This can lead to complete compromise of the device and the network segment it manages.

Mitigation

The vendor has declared the product end-of-life since 2009 and stated they are unable to replicate or fix the vulnerability. No patch or workaround is available. Users are strongly advised to retire and replace the TEW-432BRP router with a supported device that receives security updates. This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. my_vuln/TRENDnet/vuln_18/18.md at main · wudipjq/my_vuln

AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input length validation in the `formSysCmd` function allows a stack-based buffer overflow via the `submit-url` parameter."

Attack vector

An attacker sends a crafted POST request to `/goform/formSysCmd` with an overly long `submit-url` parameter. The request must include valid HTTP Basic authentication credentials (e.g., `YWRtaW46YWRtaW4=`) and a `Content-Type: application/x-www-form-urlencoded` header [ref_id=1]. Because the input is not validated, the long `submit-url` overflows the stack buffer, overwriting the return address and enabling arbitrary code execution [ref_id=1]. The attack is remotely exploitable over the network.

Affected code

The vulnerability resides in the `formSysCmd` function within the `/goform/formSysCmd` handler of the boa binary on the TRENDnet TEW-432BRP (firmware version 3.10B20). The `submit-url` argument is copied directly into a stack-local variable without any length check [ref_id=1].

What the fix does

No patch is available. The vendor states the product has been end-of-life since 2009 and will not be fixed [ref_id=1]. The researcher recommends checking the string content during input extraction to prevent the buffer overflow [ref_id=1]. Users should replace the device with a supported model, as no remediation will be provided.

Preconditions

  • authAttacker must have valid HTTP Basic authentication credentials for the router's web interface.
  • networkThe router must be reachable over the network (HTTP on port 80 or similar).
  • inputThe attacker sends a POST request with a `submit-url` parameter exceeding the stack buffer size.

Reproduction

Send a POST request to `http://<router-ip>/goform/formSysCmd` with the body containing `sysCmd=ls&apply=Apply&submit-url=<long-string-of-'a's>&msg=`. The PoC uses 838 bytes of `'a'` characters for `submit-url` and includes the `Authorization: Basic YWRtaW46YWRtaW4=` header [ref_id=1]. The router will crash and become unresponsive.

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.