15 Remote Flaws Disclosed in End-of-Life TRENDnet TEW-432BRP Router; No Patches Coming
Fifteen vulnerabilities, including 13 stack-based buffer overflows and 2 command injection flaws, have been disclosed for the end-of-life TRENDnet TEW-432BRP router, with public exploit code available and no firmware patches forthcoming.
Fifteen vulnerabilities were disclosed together for the TRENDnet TEW-432BRP (also referenced as TEW-632BRP) router running firmware version 3.10B20, the bulk of them high-severity stack-based buffer overflows that can be triggered remotely with publicly available exploit code. The batch, published between May 29 and May 31, 2026, reveals a systemic lack of input validation across the device's web-based management interface, putting users at risk of remote code execution and device compromise.
Thirteen of the fifteen CVEs are stack-based buffer overflow flaws, all rated High (CVSSv3 8.8) except for one Medium (6.3). The vulnerabilities span nearly every administrative function exposed through the router's /goform/ CGI endpoints. An attacker with network access to the management interface can overflow fixed-size buffers by sending oversized arguments, potentially hijacking execution flow. The affected functions include password management (CVE-2026-10162), statistics reset (CVE-2026-10161), wizard enable (CVE-2026-10160), system log (CVE-2026-10159), port forwarding (CVE-2026-10158), domain filtering (CVE-2026-10123), protocol filtering (CVE-2026-10122), URL filtering (CVE-2026-10121), firewall rules (CVE-2026-10120), MAC filtering (CVE-2026-10119), port triggering (CVE-2026-10064), WPS configuration (CVE-2026-10063), and routing table (CVE-2026-10062). Each of these functions accepts user-supplied data and copies it into a fixed stack buffer without bounds checking.
Two additional vulnerabilities, rated Medium (CVSSv3 6.3), involve command injection rather than buffer overflow. Both affect the same firmware version 3.10B20: CVE-2026-10061 — command injection in the formWPS function via the peerPin argument, and CVE-2026-10060 — command injection in the formSetRoute function via the ip/mask/gateway arguments. While the CVSS scores are lower, command injection can be equally dangerous, allowing an attacker to execute arbitrary operating-system commands on the router.
TRENDnet has acknowledged the vulnerabilities. For CVE-2026-10061, the vendor's official statement reads: "This product has been End of Life and is no longer supported." The TEW-432BRP (and its variant TEW-632BRP) running firmware 3.10B20 is a legacy device that has reached end-of-life (EOL) status. No firmware patch will be issued for any of the 15 CVEs. Users are advised to replace the device with a supported model.
All 15 vulnerabilities are remotely exploitable without authentication, according to the CVE descriptions. With public exploit code already available for each flaw, the barrier to weaponization is low. An attacker who compromises the router could intercept or redirect traffic, install persistent malware, or use the device as a pivot point into the local network.
Given the EOL status and the absence of patches, every TEW-432BRP and TEW-632BRP unit still in service is effectively a permanent security risk. Users should prioritize replacing these routers immediately.