How is CVE-2026-10063 exploited?

Network reachability (required): The attacker must reach the router's HTTP management interface over the network to post to /goform/formWPS. Authentication (required): A low-privilege account on the device's web interface is sufficient to invoke the vulnerable handler. Victim interaction (not-required): No user action is needed; the attacker drives the exploit directly against the endpoint. Attack complexity (info): Attack complexity is low and a public exploit exists, making the overflow reliable to trigger.

What is the impact of CVE-2026-10063?

Overwrites the stack in the formWPS handler and enables arbitrary code execution in the router's web service context. Reads device configuration, stored credentials, and WPS/Wi-Fi secrets handled by the management interface. Modifies router configuration, firewall rules, DNS settings, and routing behavior, enabling traffic interception or redirection of clients behind the device. Crashes or hangs the management service and can render the router unavailable until reboot or reflash.

Back to search

HIGHCVE-2026-10063Published 2026-05-29Modified 2026-05-29CNA VulDB

CVE-2026-10063: TRENDnet TEW-432BRP formWPS stack-based overflow

A vulnerability was identified in TRENDnet TEW-432BRP 3.10B20. Affected by this issue is the function formWPS of the file /goform/formWPS. Such manipulation of the argument peerPin leads to stack-based buffer overflow. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a stack-based buffer overflow in the formWPS handler of the TRENDnet TEW-432BRP router, reached over the network via the /goform/formWPS endpoint by manipulating the peerPin argument. Exploitation requires a low-privilege account on the device's web interface and no victim interaction, and a working exploit is publicly available; successful exploitation corrupts the stack and can lead to arbitrary code execution on the device with full impact to confidentiality, integrity, and availability. The product has been end-of-life since 2009 and the vendor has stated no fix will be issued; HarborGuard tracks the advisory for any future patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the advisory ingested from upstream feeds within minutes of publication and matched against router firmware images and any container images that bundle TEW-432BRP components in customer registries and CI pipelines, including custom-built images. Coverage extends to images regardless of whether they originate from public registries or internal builds.

Available

Triage

Triage is available with the CVSS v4 score of 8.7 (High) applied automatically, then weighted against each customer's compliance policy so that internet-exposed or regulated workloads escalate ahead of isolated lab assets. Findings route to the configured inbox inside each customer org for ownership and tracking.

Available

Patch

Because the vendor has declared the product EOL and no fix version exists, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment any upstream fix is published. In the interim, the finding remains open with compensating-control guidance attached.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the router's HTTP management interface over the network to post to /goform/formWPS.
AuthenticationRequired
A low-privilege account on the device's web interface is sufficient to invoke the vulnerable handler.
Victim interactionNot required
No user action is needed; the attacker drives the exploit directly against the endpoint.
Attack complexityDetail
Attack complexity is low and a public exploit exists, making the overflow reliable to trigger.

Blast Radius

Overwrites the stack in the formWPS handler and enables arbitrary code execution in the router's web service context.
Reads device configuration, stored credentials, and WPS/Wi-Fi secrets handled by the management interface.
Modifies router configuration, firewall rules, DNS settings, and routing behavior, enabling traffic interception or redirection of clients behind the device.
Crashes or hangs the management service and can render the router unavailable until reboot or reflash.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this VulDB advisory and any downstream references, with the finding kept open against affected TEW-432BRP 3.10B20 assets and matched in customer registries on every scan. Because the vendor has confirmed the device is EOL since 2009 and will not ship a fix, the recommended path is replacement of the hardware; until then, compensating-control suggestions surfaced alongside the finding include removing the management interface from any untrusted network, restricting access via network-policy isolation and egress filtering, rotating any credentials reused from the device, and disabling WPS where possible. If an upstream or third-party fix is ever published, a patched-image rebuild becomes available automatically, and customers with auto-remediation enabled get a rebuild, regression-test run, and PR opened against affected workloads.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

TRENDnet / TEW-432BRP
3.10B20

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References