How is CVE-2026-10120 exploited?

Network reachability (required): The attacker must reach the router's HTTP management interface over the network (AV:N). Authentication (required): A low-privilege account on the device web UI is sufficient to invoke the vulnerable handler (PR:L). Victim interaction (not-required): No user action is needed; the attacker drives the request directly (UI:N). Attack complexity (info): Attack complexity is low and the exploit is public, making it reliable and condition-free (AC:L, E:P).

What is the impact of CVE-2026-10120?

Overwrites the stack of the embedded HTTP server process, enabling arbitrary code execution on the router. Reads stored device configuration, including firewall rules, credentials, and any cached secrets. Modifies persisted device settings such as DNS, routing, and firewall policy, enabling traffic interception or redirection. Crashes or bricks the management daemon, taking the router offline for users behind it.

Back to search

HIGHCVE-2026-10120Published 2026-05-30Modified 2026-05-30CNA VulDB

CVE-2026-10120: TRENDnet TEW-432BRP formSetFirewallRule stack-based overflow

A vulnerability was detected in TRENDnet TEW-432BRP 3.10B20. The affected element is the function formSetFirewallRule of the file /goform/formSetFirewallRule. The manipulation of the argument firewall_name results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow exists in the formSetFirewallRule handler (/goform/formSetFirewallRule) of the TRENDnet TEW-432BRP router running firmware 3.10B20, triggered by an oversized firewall_name argument. The bug is reachable over the network by any authenticated user, and successful exploitation lets an attacker corrupt stack memory to achieve code execution or persistent compromise of the device, fully impacting confidentiality, integrity, and availability. The product has been end-of-life since 2009 and the vendor has stated it will not issue a fix; HarborGuard tracks the advisory for any future patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with VulDB and other upstream feeds ingested within minutes of publication and matched against images in customer registries and CI pipelines. Coverage extends to custom-built images, so any image embedding TEW-432BRP firmware artifacts or related components is flagged on the next scan.

Available

Triage

Triage is available with the CVSS v4.0 score of 8.7 (High) applied and then re-weighted against each customer's compliance policy, so device-firmware exposure can be escalated or suppressed per environment. Findings are routed to the security inbox configured for the owning team inside each customer org.

Available

Patch

No upstream fix exists because the device is EOL, so HarborGuard re-checks the advisory each ingest cycle and will make a patched rebuild available automatically if TRENDnet or a downstream maintainer ever publishes one. Until then, the finding remains open with compensating-control guidance attached.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the router's HTTP management interface over the network (AV:N).
AuthenticationRequired
A low-privilege account on the device web UI is sufficient to invoke the vulnerable handler (PR:L).
Victim interactionNot required
No user action is needed; the attacker drives the request directly (UI:N).
Attack complexityDetail
Attack complexity is low and the exploit is public, making it reliable and condition-free (AC:L, E:P).

Blast Radius

Overwrites the stack of the embedded HTTP server process, enabling arbitrary code execution on the router.
Reads stored device configuration, including firewall rules, credentials, and any cached secrets.
Modifies persisted device settings such as DNS, routing, and firewall policy, enabling traffic interception or redirection.
Crashes or bricks the management daemon, taking the router offline for users behind it.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the VulDB advisory and any downstream community patches, with the finding re-evaluated on every ingest cycle so a rebuilt image becomes available the moment an upstream fix is published. Because the device is EOL with no vendor fix planned, compensating-control suggestions are surfaced alongside the finding, including isolating the management interface on a dedicated network segment, restricting access to the /goform/ endpoints via upstream network policy, requiring VPN access for administration, and planning replacement of the TEW-432BRP with a supported model. For customers who opt into auto-remediation, the rebuild, regression run, and PR flow will trigger automatically if a patched artifact ever appears upstream.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

TRENDnet / TEW-432BRP
3.10B20

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References