Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10119

CVE-2026-10119: TRENDnet TEW-432BRP Buffer Overflow Flaw

CVE-2026-10119 is a stack-based buffer overflow in TRENDnet TEW-432BRP router that allows remote attackers to exploit the formSetMACFilter function. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-10119 Overview

CVE-2026-10119 is a stack-based buffer overflow [CWE-119] in the TRENDnet TEW-432BRP wireless router running firmware version 3.10B20. The flaw resides in the formSetMACFilter function within /goform/formSetMACFilter. Attackers manipulate the filter_name argument to overflow a fixed-size stack buffer, corrupting saved return addresses and adjacent stack data. Exploitation is possible over the network and requires only low-privilege authentication. A public proof-of-concept exists on GitHub. TRENDnet has confirmed the device has been end-of-life (EOL) since 2009 and will not issue a fix.

Critical Impact

Remote attackers with low-privilege credentials can corrupt router memory, achieve arbitrary code execution on the device, and pivot into the internal network. No vendor patch will be released.

Affected Products

  • TRENDnet TEW-432BRP wireless router
  • Firmware version 3.10B20
  • Product is EOL since 2009 and no longer supported

Discovery Timeline

  • 2026-05-30 - CVE-2026-10119 published to NVD
  • 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-10119

Vulnerability Analysis

The vulnerability exists in the HTTP request handler formSetMACFilter, which processes MAC address filter configuration submitted through the router web interface at /goform/formSetMACFilter. The handler copies the user-supplied filter_name parameter into a fixed-size stack buffer without bounds validation. Submitting an oversized filter_name value overwrites adjacent stack memory, including the saved return address of the function frame.

Because TEW-432BRP firmware lacks modern exploit mitigations such as address space layout randomization (ASLR) and stack canaries, an attacker can reliably redirect execution flow to attacker-controlled shellcode or to ROP gadgets within the firmware image. Successful exploitation grants code execution in the context of the router web daemon, which typically runs with root privileges on consumer SOHO routers.

The public proof-of-concept on GitHub demonstrates the crash condition and confirms the overflow primitive. See the GitHub Proof of Concept for technical details.

Root Cause

The root cause is the absence of length checking when copying the filter_name HTTP parameter into a stack-allocated buffer. The handler uses an unsafe string copy operation that trusts the attacker-controlled input length, a classic [CWE-119] improper restriction of operations within the bounds of a memory buffer.

Attack Vector

The attack is delivered over the network through an HTTP POST request to /goform/formSetMACFilter. The CVSS 4.0 vector indicates low attack complexity and requires low-privilege authentication, meaning an attacker needs valid web interface credentials, including default credentials commonly left unchanged on EOL home routers. No user interaction is required. Once exploited, the attacker gains control of the router, enabling DNS hijacking, traffic interception, and lateral movement into the LAN.

No verified code examples are available. Refer to the VulDB #367296 entry and the public PoC for exploitation specifics.

Detection Methods for CVE-2026-10119

Indicators of Compromise

  • HTTP POST requests to /goform/formSetMACFilter containing abnormally long filter_name values exceeding typical input lengths
  • Router web service crashes, reboots, or watchdog restarts correlated with management interface traffic
  • Unexpected outbound connections from the router management plane to unknown hosts
  • Changes to DNS configuration, firewall rules, or admin credentials on the TEW-432BRP without authorized administrative activity

Detection Strategies

  • Inspect network traffic for HTTP requests targeting /goform/formSetMACFilter and alert on requests where the filter_name field exceeds a sane length threshold such as 64 bytes
  • Monitor the router management VLAN for anomalous source addresses contacting the web administration interface
  • Use network discovery to inventory EOL devices and flag any TRENDnet TEW-432BRP devices still in production

Monitoring Recommendations

  • Forward firewall and switch logs to a centralized analytics platform and alert on traffic patterns matching exploitation attempts
  • Capture full packet data for the router management subnet to support post-incident forensics
  • Continuously baseline DNS resolver settings issued by the router via DHCP and alert on unauthorized changes

How to Mitigate CVE-2026-10119

Immediate Actions Required

  • Replace the TRENDnet TEW-432BRP with a currently supported router. The vendor has stated no patch will be issued because the product has been EOL since 2009.
  • Disconnect the affected device from any internet-facing interface until replacement is complete
  • Restrict access to the router web administration interface to a dedicated management host on a segmented VLAN
  • Change any default or weak administrative credentials to limit the low-privilege precondition required by the exploit

Patch Information

No patch is available. TRENDnet has publicly stated: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." Device replacement is the only durable remediation.

Workarounds

  • Block external access to TCP port 80 and 443 on the router WAN interface using an upstream firewall
  • Place the device behind a network segment that allows only outbound traffic and disallows administrative reachability from untrusted clients
  • Disable remote management features and restrict LAN-side management to a single hardened workstation
  • Inventory and decommission all EOL networking equipment as part of standard asset lifecycle management
bash
# Example: block external HTTP/HTTPS to the legacy router from upstream firewall
iptables -A FORWARD -d <router_wan_ip> -p tcp --dport 80 -j DROP
iptables -A FORWARD -d <router_wan_ip> -p tcp --dport 443 -j DROP

# Restrict LAN-side management to a single admin workstation
iptables -A FORWARD -s <admin_workstation_ip> -d <router_lan_ip> -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d <router_lan_ip> -p tcp --dport 80 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.