How is CVE-2026-10121 exploited?

Network reachability (required): The attacker must reach the router's HTTP management interface over the network (AV:N). Authentication (required): A low-privilege account on the device is sufficient to invoke the vulnerable handler (PR:L). Victim interaction (not-required): No user has to click or open anything; the attacker drives the request directly (UI:N). Attack complexity (info): Attack complexity is low and a public exploit exists, so the overflow triggers reliably without race conditions or special timing (AC:L).

What is the impact of CVE-2026-10121?

Overwrites the stack of the web management process, typically enabling arbitrary code execution on the router as the web service user. Reads any configuration or credential material held in device memory, including admin passwords and VPN secrets. Modifies persisted router settings such as firewall, DNS, and URL filtering rules, allowing traffic redirection or interception of LAN clients. Crashes the management daemon or the device itself, disrupting connectivity for everyone behind the router.

Back to search

HIGHCVE-2026-10121Published 2026-05-30Modified 2026-05-30CNA VulDB

CVE-2026-10121: TRENDnet TEW-432BRP formSetUrlFilter stack-based overflow

A flaw has been found in TRENDnet TEW-432BRP 3.10B20. The impacted element is the function formSetUrlFilter of the file /goform/formSetUrlFilter. This manipulation of the argument keyword_list/keyword causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow in the formSetUrlFilter handler of TRENDnet's TEW-432BRP router (firmware 3.10B20) lets an authenticated attacker corrupt memory by sending oversized keyword_list or keyword values to /goform/formSetUrlFilter. The bug is reachable over the network and requires only a low-privilege account, and successful exploitation gives full read, write, and availability impact on the device, typically leading to code execution or a device crash. The product has been end-of-life since 2009 and the vendor will not ship a fix; HarborGuard tracks the advisory and will surface a patched rebuild if one is ever published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that embed the TRENDnet firmware or its components. Both registry-resident and pipeline-stage images are evaluated on each scan cycle.

Available

Triage

Triage is available with the published CVSS v4.0 score of 8.7 (High), then reweighted per environment against each customer's compliance policy so that internet-exposed or regulated workloads escalate faster. Findings route to the inbox configured for the owning team inside each customer org.

Available

Patch

No upstream fix exists because the product is end-of-life, so HarborGuard re-checks the advisory on each ingest cycle and will make a patched-image rebuild available the moment any upstream or community fix is published. Until then, the finding stays open with compensating-control guidance attached.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the router's HTTP management interface over the network (AV:N).
AuthenticationRequired
A low-privilege account on the device is sufficient to invoke the vulnerable handler (PR:L).
Victim interactionNot required
No user has to click or open anything; the attacker drives the request directly (UI:N).
Attack complexityDetail
Attack complexity is low and a public exploit exists, so the overflow triggers reliably without race conditions or special timing (AC:L).

Blast Radius

Overwrites the stack of the web management process, typically enabling arbitrary code execution on the router as the web service user.
Reads any configuration or credential material held in device memory, including admin passwords and VPN secrets.
Modifies persisted router settings such as firewall, DNS, and URL filtering rules, allowing traffic redirection or interception of LAN clients.
Crashes the management daemon or the device itself, disrupting connectivity for everyone behind the router.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the VulDB advisory, with the finding kept open and visible since TRENDnet has confirmed no fix will be issued for this end-of-life device. Compensating-control guidance is surfaced alongside the finding, including isolating the management interface to a dedicated VLAN, blocking inbound access to /goform/formSetUrlFilter at an upstream firewall, restricting management credentials, and planning replacement of the EOL hardware. If a community or third-party patched build is ever published, ingestion will pick it up on the next cycle and, for customers with auto-remediation enabled, a rebuilt image, regression run, and PR against affected workloads become available automatically.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

TRENDnet / TEW-432BRP
3.10B20

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References