How is CVE-2026-10119 exploited?

Network reachability (required): The attacker must reach the router's HTTP management interface over the network (AV:N). Authentication (required): PR:L indicates any low-privilege account on the device is sufficient to invoke the vulnerable form handler. Victim interaction (not-required): UI:N: no user has to click or open anything for the exploit to fire. Attack complexity (info): AC:L: the overflow is reliable and has no environmental preconditions, and a public exploit is already disclosed.

What is the impact of CVE-2026-10119?

Executes attacker-controlled code in the router's web server process, typically running with full firmware privileges. Reads any credentials, Wi-Fi keys, and configuration stored on the device. Modifies routing, DNS, firewall, and MAC filter rules to redirect or intercept traffic from every client behind the router. Crashes or bricks the device, taking the local network offline.

Back to search

HIGHCVE-2026-10119Published 2026-05-30Modified 2026-05-30CNA VulDB

CVE-2026-10119: TRENDnet TEW-432BRP formSetMACFilter stack-based overflow

A security vulnerability has been detected in TRENDnet TEW-432BRP 3.10B20. Impacted is the function formSetMACFilter of the file /goform/formSetMACFilter. The manipulation of the argument filter_name leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a stack-based buffer overflow in the formSetMACFilter handler (/goform/formSetMACFilter) of the TRENDnet TEW-432BRP router, reachable over the network by an attacker holding any low-privilege account on the device. Oversizing the filter_name argument corrupts the stack and lets the attacker fully compromise confidentiality, integrity, and availability of the router, typically resulting in remote code execution on the embedded firmware. The device has been end-of-life since 2009 and TRENDnet has stated it will not issue a fix; HarborGuard tracks the advisory and will make a patched rebuild available the moment any upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-10119 is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that embed or proxy TRENDnet firmware components. Any container surfacing the affected TEW-432BRP 3.10B20 build is flagged on the next scan cycle.

Available

Triage

Triage is available with the published CVSS v4.0 score of 8.7 (High) applied as the baseline, then reweighted against each customer organization's compliance policy (for example, network-edge or IoT-facing workloads can be escalated). Findings route to the appropriate inbox inside each customer org based on image ownership and workload tags.

Available

Patch

Because the vendor has declared the product end-of-life and will not ship a fix, no patched-image rebuild is currently possible. HarborGuard re-checks the advisory each ingest cycle and will make a patched rebuild available the moment any upstream or community fix is published, with auto-remediation customers receiving a rebuild, regression run, and PR against affected workloads at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the router's HTTP management interface over the network (AV:N).
AuthenticationRequired
PR:L indicates any low-privilege account on the device is sufficient to invoke the vulnerable form handler.
Victim interactionNot required
UI:N: no user has to click or open anything for the exploit to fire.
Attack complexityDetail
AC:L: the overflow is reliable and has no environmental preconditions, and a public exploit is already disclosed.

Blast Radius

Executes attacker-controlled code in the router's web server process, typically running with full firmware privileges.
Reads any credentials, Wi-Fi keys, and configuration stored on the device.
Modifies routing, DNS, firewall, and MAC filter rules to redirect or intercept traffic from every client behind the router.
Crashes or bricks the device, taking the local network offline.

How HarborGuard Handles This

Available on HarborGuard: continuous tracking of CVE-2026-10119 against every scanned image, with High-severity routing into customer triage inboxes and compliance-policy reweighting per environment. Because TRENDnet has declared the TEW-432BRP end-of-life and no fix version exists, no patched rebuild can be produced today; HarborGuard recommends compensating controls such as isolating the management interface behind a network policy, blocking inbound access to /goform/* from untrusted segments, restricting egress from the device, and planning replacement of the EOL hardware. The advisory is re-evaluated on every ingest cycle, and if an upstream or community patch ships, a rebuilt image becomes available automatically, with auto-remediation customers receiving a regression-tested PR against affected workloads (median time from CVE publication to merged patch PR for High-severity issues is around 90 minutes for environments with auto-remediation enabled).

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

TRENDnet / TEW-432BRP
3.10B20

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References