CVE-2026-10182
Description
Command injection in TRENDnet TEW-432BRP firmware 3.10B20 via enrollee parameter in formWlanSetup allows remote unauthenticated attackers to execute arbitrary commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in TRENDnet TEW-432BRP firmware 3.10B20 via enrollee parameter in formWlanSetup allows remote unauthenticated attackers to execute arbitrary commands.
Vulnerability
A command injection vulnerability exists in the formWlanSetup function within the /goform/formWlanSetup endpoint of TRENDnet TEW-432BRP firmware version 3.10B20. The enrollee argument is directly passed to an OS command without sanitization, allowing an attacker to inject arbitrary shell commands. The affected product has been end-of-life (EOL) since 2009 and is no longer supported by the vendor [1].
Exploitation
An attacker with network access to the router's web management interface can send a crafted POST request to /goform/formWlanSetup. The enrollee parameter, when wrapped in backticks or other command substitution characters, causes the injected command to execute. The exploit requires no authentication if default credentials are used, but the management interface is typically protected; however, default credentials (admin/admin) are commonly known and often unchanged. A publicly available proof-of-concept demonstrates injection of the reboot command [1].
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the device with root privileges. This can lead to full compromise of the router, including data exfiltration, denial of service, or use as a pivot point for further attacks on the local network. The vulnerability is remotely exploitable and has a CVSS v3 score of 6.3 (Medium) [1].
Mitigation
The vendor has confirmed that the TRENDnet TEW-432BRP is end-of-life and no security patches will be issued. Users are strongly advised to replace the device with a supported model. No workarounds exist, and the vulnerability is publicly known. As of the publication date, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 3.10B20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `formWlanSetup` function allows the `enrollee` parameter to be passed directly to a system shell."
Attack vector
An attacker sends a crafted HTTP POST request to `/goform/formWlanSetup` with the `enrollee` parameter containing shell metacharacters (e.g., backticks) [ref_id=1]. The attacker must be authenticated (the PoC includes a Basic Authorization header) and have network access to the router's web interface [ref_id=1]. The `enrollee` value is passed unsanitized to a system call, allowing arbitrary command execution [ref_id=1].
Affected code
The vulnerable function is `formWlanSetup` in the file `/goform/formWlanSetup` within the `boa` binary on the TRENDnet TEW-432BRP (firmware version 3.10B20) [ref_id=1]. The `enrollee` parameter is passed directly from the HTTP POST request to the operating system without sanitization [ref_id=1].
What the fix does
No patch is available. The vendor states the product has been end-of-life since 2009 and will not be fixed [ref_id=1]. The researcher recommends that string content should be validated and sanitized at the input extraction stage to prevent command injection [ref_id=1].
Preconditions
- networkAttacker must have network access to the router's web interface
- authAttacker must be authenticated (Basic Auth credentials required)
- inputAttacker must send a POST request with a crafted `enrollee` parameter containing shell metacharacters
Reproduction
1. Send a POST request to `http://<router-ip>/goform/formWlanSetup` with the body `setPIN=Start+PIN&enrollee=\`reboot\``&webpage=wlan_wps.asp` and a valid Basic Authorization header [ref_id=1]. 2. The router executes the injected command (e.g., `reboot`) [ref_id=1].
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.