Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10064

CVE-2026-10064: Trendnet TEW-432BRP Buffer Overflow Flaw

CVE-2026-10064 is a stack-based buffer overflow flaw in Trendnet TEW-432BRP firmware that enables remote attackers to exploit the formSetPortTr function. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-10064 Overview

CVE-2026-10064 is a stack-based buffer overflow in the TRENDnet TEW-432BRP wireless router running firmware version 3.10B20. The flaw resides in the formSetPortTr function of /goform/formSetPortTr, where manipulation of the special_name argument corrupts the stack. An attacker with low-level privileges can trigger the condition remotely over the network. The vendor has confirmed the device reached end-of-life (EOL) in 2009 and will not issue a fix. Public exploit details have been released, increasing exposure risk for any device still in service. This vulnerability is mapped to [CWE-119].

Critical Impact

A remote authenticated attacker can corrupt stack memory on an unsupported router, potentially leading to denial of service or execution of attacker-controlled code on the device.

Affected Products

  • TRENDnet TEW-432BRP hardware (EOL since 2009)
  • TRENDnet TEW-432BRP firmware version 3.10B20
  • Any deployment exposing /goform/formSetPortTr to untrusted networks

Discovery Timeline

  • 2026-05-29 - CVE-2026-10064 published to NVD
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-10064

Vulnerability Analysis

The TEW-432BRP web management interface exposes the formSetPortTr handler for port-trigger configuration. The handler copies the user-controlled special_name parameter into a fixed-size stack buffer without enforcing length validation. Submitting an oversized value overflows the buffer and overwrites adjacent stack data, including saved return addresses on the MIPS-based firmware. Because exploit material is publicly available, attackers can adapt it without independent reverse engineering. The EPSS probability is currently 0.039% (12.02 percentile), reflecting low observed exploitation, but exposure rises sharply if the device is reachable from the internet.

Root Cause

The root cause is missing bounds checking on the special_name HTTP form parameter inside formSetPortTr. The handler uses an unchecked string copy into a stack-allocated buffer, classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). The vendor has stated the product has been EOL for 15 years and will not be patched.

Attack Vector

Exploitation requires network access to the router's web interface and a low-privilege session. The attacker submits a crafted POST request to /goform/formSetPortTr with an oversized special_name value. Successful exploitation overwrites stack data and can redirect control flow on the embedded device. See the GitHub vulnerability documentation and VulDB entry #367150 for the published technical proof.

Detection Methods for CVE-2026-10064

Indicators of Compromise

  • HTTP POST requests to /goform/formSetPortTr containing abnormally long special_name parameter values.
  • Unexpected reboots, watchdog resets, or web service crashes on TEW-432BRP devices.
  • Authenticated administrative sessions originating from unfamiliar source addresses targeting legacy router firmware.

Detection Strategies

  • Inspect web traffic to TRENDnet management endpoints and alert when special_name exceeds a conservative byte threshold.
  • Fingerprint legacy TEW-432BRP devices on the network using HTTP banner and CPE matching against cpe:2.3:o:trendnet:tew-432brp_firmware:3.10b20.
  • Correlate router crash telemetry with preceding HTTP requests to /goform/formSetPortTr to identify exploitation attempts.

Monitoring Recommendations

  • Add an inventory rule that flags any TEW-432BRP device as unsupported and at-risk until decommissioned.
  • Monitor outbound traffic from the router segment for command-and-control patterns that would indicate post-exploitation activity.
  • Capture and archive web management traffic for forensic review while the device remains in service.

How to Mitigate CVE-2026-10064

Immediate Actions Required

  • Remove the TEW-432BRP from production networks and replace it with a vendor-supported router.
  • If immediate replacement is not possible, block external access to the web management interface and restrict it to a dedicated management VLAN.
  • Disable remote administration and WAN-side HTTP access on the device.

Patch Information

No patch is available. The vendor has stated: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." Decommissioning is the only complete remediation.

Workarounds

  • Place the router behind a firewall that drops inbound HTTP and HTTPS traffic destined for its management interface.
  • Restrict LAN-side access to /goform/formSetPortTr using ACLs on upstream switches or a host-based filter where supported.
  • Rotate the administrative password and ensure default credentials are not in use to limit the low-privilege precondition for exploitation.
bash
# Example upstream firewall rules to isolate an EOL TEW-432BRP
# Block inbound HTTP/HTTPS to the router management IP
iptables -A FORWARD -d 192.0.2.10 -p tcp --dport 80 -j DROP
iptables -A FORWARD -d 192.0.2.10 -p tcp --dport 443 -j DROP

# Permit management only from a trusted admin host
iptables -I FORWARD -s 192.0.2.250 -d 192.0.2.10 -p tcp --dport 80 -j ACCEPT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.