CVE-2026-10119 Overview
CVE-2026-10119 is a stack-based buffer overflow [CWE-119] in the TRENDnet TEW-432BRP wireless router running firmware version 3.10B20. The flaw resides in the formSetMACFilter function within /goform/formSetMACFilter. Attackers manipulate the filter_name argument to overflow a fixed-size stack buffer, corrupting saved return addresses and adjacent stack data. Exploitation is possible over the network and requires only low-privilege authentication. A public proof-of-concept exists on GitHub. TRENDnet has confirmed the device has been end-of-life (EOL) since 2009 and will not issue a fix.
Critical Impact
Remote attackers with low-privilege credentials can corrupt router memory, achieve arbitrary code execution on the device, and pivot into the internal network. No vendor patch will be released.
Affected Products
- TRENDnet TEW-432BRP wireless router
- Firmware version 3.10B20
- Product is EOL since 2009 and no longer supported
Discovery Timeline
- 2026-05-30 - CVE-2026-10119 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-10119
Vulnerability Analysis
The vulnerability exists in the HTTP request handler formSetMACFilter, which processes MAC address filter configuration submitted through the router web interface at /goform/formSetMACFilter. The handler copies the user-supplied filter_name parameter into a fixed-size stack buffer without bounds validation. Submitting an oversized filter_name value overwrites adjacent stack memory, including the saved return address of the function frame.
Because TEW-432BRP firmware lacks modern exploit mitigations such as address space layout randomization (ASLR) and stack canaries, an attacker can reliably redirect execution flow to attacker-controlled shellcode or to ROP gadgets within the firmware image. Successful exploitation grants code execution in the context of the router web daemon, which typically runs with root privileges on consumer SOHO routers.
The public proof-of-concept on GitHub demonstrates the crash condition and confirms the overflow primitive. See the GitHub Proof of Concept for technical details.
Root Cause
The root cause is the absence of length checking when copying the filter_name HTTP parameter into a stack-allocated buffer. The handler uses an unsafe string copy operation that trusts the attacker-controlled input length, a classic [CWE-119] improper restriction of operations within the bounds of a memory buffer.
Attack Vector
The attack is delivered over the network through an HTTP POST request to /goform/formSetMACFilter. The CVSS 4.0 vector indicates low attack complexity and requires low-privilege authentication, meaning an attacker needs valid web interface credentials, including default credentials commonly left unchanged on EOL home routers. No user interaction is required. Once exploited, the attacker gains control of the router, enabling DNS hijacking, traffic interception, and lateral movement into the LAN.
No verified code examples are available. Refer to the VulDB #367296 entry and the public PoC for exploitation specifics.
Detection Methods for CVE-2026-10119
Indicators of Compromise
- HTTP POST requests to /goform/formSetMACFilter containing abnormally long filter_name values exceeding typical input lengths
- Router web service crashes, reboots, or watchdog restarts correlated with management interface traffic
- Unexpected outbound connections from the router management plane to unknown hosts
- Changes to DNS configuration, firewall rules, or admin credentials on the TEW-432BRP without authorized administrative activity
Detection Strategies
- Inspect network traffic for HTTP requests targeting /goform/formSetMACFilter and alert on requests where the filter_name field exceeds a sane length threshold such as 64 bytes
- Monitor the router management VLAN for anomalous source addresses contacting the web administration interface
- Use network discovery to inventory EOL devices and flag any TRENDnet TEW-432BRP devices still in production
Monitoring Recommendations
- Forward firewall and switch logs to a centralized analytics platform and alert on traffic patterns matching exploitation attempts
- Capture full packet data for the router management subnet to support post-incident forensics
- Continuously baseline DNS resolver settings issued by the router via DHCP and alert on unauthorized changes
How to Mitigate CVE-2026-10119
Immediate Actions Required
- Replace the TRENDnet TEW-432BRP with a currently supported router. The vendor has stated no patch will be issued because the product has been EOL since 2009.
- Disconnect the affected device from any internet-facing interface until replacement is complete
- Restrict access to the router web administration interface to a dedicated management host on a segmented VLAN
- Change any default or weak administrative credentials to limit the low-privilege precondition required by the exploit
Patch Information
No patch is available. TRENDnet has publicly stated: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." Device replacement is the only durable remediation.
Workarounds
- Block external access to TCP port 80 and 443 on the router WAN interface using an upstream firewall
- Place the device behind a network segment that allows only outbound traffic and disallows administrative reachability from untrusted clients
- Disable remote management features and restrict LAN-side management to a single hardened workstation
- Inventory and decommission all EOL networking equipment as part of standard asset lifecycle management
# Example: block external HTTP/HTTPS to the legacy router from upstream firewall
iptables -A FORWARD -d <router_wan_ip> -p tcp --dport 80 -j DROP
iptables -A FORWARD -d <router_wan_ip> -p tcp --dport 443 -j DROP
# Restrict LAN-side management to a single admin workstation
iptables -A FORWARD -s <admin_workstation_ip> -d <router_lan_ip> -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d <router_lan_ip> -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

