How is CVE-2026-10123 exploited?

Network reachability (required): The attacker must reach the router's HTTP management interface over the network (AV:N). Authentication (required): A low-privilege account on the router's web UI is sufficient to invoke the vulnerable handler (PR:L). Victim interaction (not-required): Exploitation does not require any action from a logged-in administrator or other user (UI:N). Attack complexity (info): Attack complexity is low and a public exploit exists, so the overflow triggers reliably without environmental tuning (AC:L, E:P).

What is the impact of CVE-2026-10123?

Overwrites the stack of the router's HTTP daemon, enabling arbitrary code execution in the context of the management process. Reads any credentials, WPA keys, and configuration secrets stored on the device. Modifies routing, DNS, firewall, and domain-filter rules to redirect or intercept downstream client traffic. Crashes or bricks the router, taking the network segment behind it offline.

Back to search

HIGHCVE-2026-10123Published 2026-05-30Modified 2026-05-30CNA VulDB

CVE-2026-10123: TRENDnet TEW-432BRP formSetDomainFilter stack-based overflow

A vulnerability was found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetDomainFilter of the file /goform/formSetDomainFilter. Performing a manipulation of the argument blocked_domain/permitted_domain/blocked_domain_list/permitted_domain_list results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow in the formSetDomainFilter handler of the TRENDnet TEW-432BRP router (firmware 3.10B20) is reachable over the network by any authenticated user who can submit oversized values to the blocked_domain, permitted_domain, blocked_domain_list, or permitted_domain_list arguments at /goform/formSetDomainFilter. Successful exploitation corrupts the router's stack and yields full compromise of confidentiality, integrity, and availability on the device, with a public exploit already available. The product has been end-of-life since 2009 and the vendor has stated no fix will be issued; HarborGuard tracks the advisory and will surface a patched rebuild the moment any upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment - the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that embed firmware components or router-management tooling. Coverage extends to derivative layers so a vulnerable copy of the affected binary is flagged regardless of how it was packaged.

Available

Triage

Triage is available with the published CVSS v4.0 score of 8.7 (High) weighted against each customer's compliance policy, so environments with stricter network-edge or EOL-software rules can escalate it further. Findings are routed to the security inbox configured for the owning team inside each customer org.

Available

Patch

No upstream fix exists because the vendor has declared the device end-of-life, so a patched-image rebuild is not currently available. HarborGuard re-checks the advisory on every ingest cycle and will make a rebuild available automatically if an upstream or community patch is ever published.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the router's HTTP management interface over the network (AV:N).
AuthenticationRequired
A low-privilege account on the router's web UI is sufficient to invoke the vulnerable handler (PR:L).
Victim interactionNot required
Exploitation does not require any action from a logged-in administrator or other user (UI:N).
Attack complexityDetail
Attack complexity is low and a public exploit exists, so the overflow triggers reliably without environmental tuning (AC:L, E:P).

Blast Radius

Overwrites the stack of the router's HTTP daemon, enabling arbitrary code execution in the context of the management process.
Reads any credentials, WPA keys, and configuration secrets stored on the device.
Modifies routing, DNS, firewall, and domain-filter rules to redirect or intercept downstream client traffic.
Crashes or bricks the router, taking the network segment behind it offline.

How HarborGuard Handles This

Available on HarborGuard: continuous tracking of the VulDB advisory with automatic re-evaluation on every ingest, so any future community or vendor patch immediately produces a rebuilt image candidate for affected workloads. Because the device is vendor-declared EOL with no fix forthcoming, HarborGuard also surfaces compensating-control guidance for environments that still ship or manage this firmware - restricting the management interface to a dedicated admin VLAN via network policy, blocking WAN-side access to /goform/* endpoints at an upstream gateway, and gating any tooling that embeds the affected binary behind a feature flag until it can be removed. For customers who opt into auto-remediation, a PR replacing or removing the EOL component will be opened against affected workloads as soon as a supported replacement image is registered in the environment.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

TRENDnet / TEW-432BRP
3.10B20

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References