CVE-2026-5352 Overview
CVE-2026-5352 is an OS command injection vulnerability affecting the Trendnet TEW-657BRM wireless router running firmware version 1.00.1. The flaw resides in the Edit function within /setup.cgi, where the pcdb_list argument is passed to the underlying operating system without proper sanitization [CWE-77]. Remote attackers with low-level privileges can inject arbitrary operating system commands through this parameter. The exploit details have been publicly disclosed.
Critical Impact
The Trendnet TEW-657BRM reached end-of-life on June 23, 2011. The vendor will not issue a patch, leaving any still-deployed devices permanently exposed to remote command injection.
Affected Products
- Trendnet TEW-657BRM hardware router
- Trendnet TEW-657BRM firmware version 1.00.1
- All TEW-657BRM units (end-of-life since June 23, 2011)
Discovery Timeline
- 2026-04-02 - CVE-2026-5352 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-5352
Vulnerability Analysis
The vulnerability exists in the request handler for the Edit operation served by /setup.cgi on the TEW-657BRM management interface. The pcdb_list parameter accepted by this endpoint is concatenated into a command string that the firmware executes through an OS-level shell call. Because the input is not validated or escaped, shell metacharacters such as ;, |, and backticks are interpreted by the underlying shell. An authenticated attacker reaching the web management interface can append arbitrary commands to the expected value of pcdb_list.
Successful exploitation allows the attacker to run commands in the context of the web server process on the router. On embedded SOHO devices of this generation, that context is typically root, which grants full control of routing, DNS, firewall, and wireless configuration. The CWE classification is CWE-77: Improper Neutralization of Special Elements used in a Command.
Root Cause
The setup.cgi binary passes user-controlled HTTP parameters directly to a shell interpreter without input filtering or use of a safe execution API. The Edit function trusts the pcdb_list value as a structured list, but the firmware does not enforce the expected format before invoking the system shell.
Attack Vector
The attack is network-reachable through the router's web administration interface and requires low-privilege authentication. An attacker submits a crafted HTTP request to /setup.cgi invoking the Edit action with a pcdb_list value that includes shell separators followed by attacker-chosen commands. If the management interface is exposed to the WAN or an attacker has reached the LAN, the device executes the injected commands and returns control of the router.
No verified exploit code is published in trusted repositories at this time. Technical write-ups are available in the GitHub vulnerability documentation and on VulDB entry #354705.
Detection Methods for CVE-2026-5352
Indicators of Compromise
- HTTP POST or GET requests to /setup.cgi containing the Edit action and a pcdb_list parameter with shell metacharacters such as ;, &&, |, or backticks.
- Outbound connections from the router's WAN interface to unfamiliar hosts, indicating downloader or reverse-shell activity after injection.
- Unexpected changes to router DNS settings, firewall rules, or administrative credentials.
- New processes or persistence scripts observed on the device if console access is available.
Detection Strategies
- Inspect web traffic destined for the router's management interface for pcdb_list values containing characters outside the expected list format.
- Alert on any administrative HTTP request to the TEW-657BRM originating from external IP ranges.
- Correlate router-originated DNS or HTTP requests against threat intelligence to surface command-and-control behavior.
Monitoring Recommendations
- Forward perimeter firewall and IDS logs covering the router's management VLAN to a centralized analytics platform for retention and search.
- Baseline normal administrative access patterns to the device and alert on deviations in source IP, time of day, or request volume.
- Monitor for traffic patterns consistent with embedded-device compromise, including outbound IRC, Tor, or known botnet ports.
How to Mitigate CVE-2026-5352
Immediate Actions Required
- Remove the Trendnet TEW-657BRM from production networks and replace it with a currently supported router. The device has been end-of-life since June 23, 2011 and will not receive a fix.
- If immediate replacement is not possible, disable remote management on the WAN interface and restrict LAN-side access to the management UI to a dedicated administrative host.
- Change the administrative password and audit existing configuration for unauthorized changes to DNS, firewall, or port-forwarding rules.
Patch Information
No patch is available or planned. The vendor has confirmed that the TEW-657BRM is discontinued and will not be analyzed or fixed. Trendnet states it will publish an end-of-life notice on the product support page and notify registered customers. Replacement with a supported router is the only durable remediation.
Workarounds
- Place the device behind an upstream firewall that blocks inbound access to TCP/80 and TCP/443 on the router's WAN interface.
- Segment the router onto an isolated VLAN and require VPN access for any administrative session.
- Disable any features that expose /setup.cgi to untrusted networks, including UPnP and remote configuration utilities.
- Treat the device as untrusted and restrict the traffic it can originate using egress filtering on the upstream firewall.
# Example egress and management restriction on an upstream firewall (iptables)
iptables -A FORWARD -s 192.0.2.10 -p tcp --dport 80 -j DROP
iptables -A FORWARD -s 192.0.2.10 -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 80 -s ! 10.10.10.5 -d 192.0.2.10 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
