How is CVE-2026-10158 exploited?

Network reachability (required): The attacker must reach the device's HTTP management interface over the network (AV:N). Authentication (required): A low-privilege account on the web interface is sufficient to invoke formPortFw (PR:L). Victim interaction (not-required): No user action is needed; the attacker hits the endpoint directly (UI:N). Attack complexity (info): Attack complexity is low and a public exploit has been released, so the overflow triggers reliably without special conditions (AC:L, E:P).

What is the impact of CVE-2026-10158?

Overwrites the stack of the device's web server process, typically enabling arbitrary code execution as the web service account. Reads any configuration, credentials, and traffic state held on the router, including Wi-Fi keys and admin credentials. Modifies router configuration such as port forwarding, DNS, and firewall rules, allowing pivot into the LAN behind the device. Crashes or bricks the web management service and can render the router unavailable until a power cycle or reflash.

Back to search

HIGHCVE-2026-10158Published 2026-05-31Modified 2026-05-31CNA VulDB

CVE-2026-10158: TRENDnet TEW-432BRP formPortFw stack-based overflow

A security flaw has been discovered in TRENDnet TEW-432BRP 3.10B20. Affected is the function formPortFw of the file /goform/formPortFw. The manipulation of the argument server_name results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow in the formPortFw handler of the TRENDnet TEW-432BRP router (firmware 3.10B20) lets an attacker overflow a fixed-size stack buffer by supplying an oversized server_name parameter to /goform/formPortFw. The bug is reachable over the network and requires only a low-privilege account on the device's web interface; successful exploitation corrupts the stack and yields full compromise of confidentiality, integrity, and availability on the device, typically as code execution in the web server process. The device is end-of-life and the vendor has stated it will not issue a fix; HarborGuard tracks the advisory and will make a patched rebuild available if an upstream fix is ever published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with VulDB and NVD advisories ingested within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that embed TRENDnet firmware or related components. Images carrying the affected TEW-432BRP 3.10B20 firmware are flagged on the next scan cycle.

Available

Triage

Triage is available with the CVSS v4.0 base score of 8.7 (High) applied and then reweighted against each customer's compliance policy, so environments that treat internet-exposed network appliances as critical can escalate further. Findings route to the inbox configured for network-device or appliance CVEs inside each customer org.

Available

Patch

No upstream fix exists because the product has been EOL since 2009 and the vendor has declined to patch. HarborGuard re-checks the advisory on each ingest cycle and will make a patched-image rebuild available the moment any upstream or community fix is published; until then, the finding stays open with compensating-control guidance attached.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's HTTP management interface over the network (AV:N).
AuthenticationRequired
A low-privilege account on the web interface is sufficient to invoke formPortFw (PR:L).
Victim interactionNot required
No user action is needed; the attacker hits the endpoint directly (UI:N).
Attack complexityDetail
Attack complexity is low and a public exploit has been released, so the overflow triggers reliably without special conditions (AC:L, E:P).

Blast Radius

Overwrites the stack of the device's web server process, typically enabling arbitrary code execution as the web service account.
Reads any configuration, credentials, and traffic state held on the router, including Wi-Fi keys and admin credentials.
Modifies router configuration such as port forwarding, DNS, and firewall rules, allowing pivot into the LAN behind the device.
Crashes or bricks the web management service and can render the router unavailable until a power cycle or reflash.

How HarborGuard Handles This

Available on HarborGuard: continuous tracking of CVE-2026-10158 against every scanned image, with the finding surfaced on each scan until an upstream fix lands. Because the vendor has declared the TEW-432BRP end-of-life and will not patch, the recommended path is replacement of the device with a supported model; for environments where that is not immediately possible, HarborGuard surfaces compensating-control suggestions including restricting the web management interface to a management VLAN, blocking inbound access to /goform/formPortFw at an upstream firewall, rotating any credentials reachable from the device, and disabling remote administration. If a community or third-party firmware fix is ever published, a patched-image rebuild becomes available automatically, and customers with auto-remediation enabled get a rebuild, regression-test run, and PR opened against affected workloads.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

TRENDnet / TEW-432BRP
3.10B20

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References