How is CVE-2026-10159 exploited?

Network reachability (required): The attacker must reach the device's HTTP management interface over the network (AV:N). Authentication (required): A low-privilege account on the router's web interface is sufficient to invoke formSysLog (PR:L). Victim interaction (not-required): No user action is needed; the attacker drives the request directly (UI:N). Attack complexity (info): Attack complexity is low and a public exploit exists, so the overflow triggers reliably without special conditions (AC:L, E:P).

What is the impact of CVE-2026-10159?

Overwrites the stack in formSysLog, which on this class of embedded router typically yields arbitrary code execution as the web service account (often root). Reads any configuration, credentials, and traffic metadata stored on the device, including Wi-Fi keys and admin passwords. Modifies router configuration such as DNS servers, firewall rules, and firmware, enabling persistent traffic interception or redirection. Crashes or bricks the device, taking the network segment behind it offline.

Back to search

HIGHCVE-2026-10159Published 2026-05-31Modified 2026-05-31CNA VulDB

CVE-2026-10159: TRENDnet TEW-432BRP formSysLog stack-based overflow

A weakness has been identified in TRENDnet TEW-432BRP 3.10B20. Affected by this vulnerability is the function formSysLog of the file /goform/formSysLog. This manipulation of the argument current_page causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow exists in the formSysLog handler of the TRENDnet TEW-432BRP router (firmware 3.10B20), reached through the current_page argument on /goform/formSysLog. The flaw is reachable over the network and requires only a low-privilege account on the device's web interface, with no victim interaction. Successful exploitation corrupts the stack and enables full compromise of the router's confidentiality, integrity, and availability, including likely remote code execution on the device. The vendor has declared the product end-of-life since 2009 and will not issue a fix; HarborGuard tracks the advisory for any future patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines. Coverage extends to custom-built images, so embedded or repackaged TRENDnet firmware components in internal builds are flagged on the next scan cycle.

Available

Triage

Triage scoring uses the published CVSS v4.0 base of 8.7 (HIGH) and is reweighted per environment against each customer's compliance policy, so internet-exposed or regulated workloads can be escalated above default severity. Findings are routed to the appropriate inbox within each customer org for owner assignment.

Available

Patch

Because the vendor has declared the product end-of-life and no fix version exists, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment any upstream fix or community patch is published. Until then, the finding remains open with compensating-control guidance attached.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's HTTP management interface over the network (AV:N).
AuthenticationRequired
A low-privilege account on the router's web interface is sufficient to invoke formSysLog (PR:L).
Victim interactionNot required
No user action is needed; the attacker drives the request directly (UI:N).
Attack complexityDetail
Attack complexity is low and a public exploit exists, so the overflow triggers reliably without special conditions (AC:L, E:P).

Blast Radius

Overwrites the stack in formSysLog, which on this class of embedded router typically yields arbitrary code execution as the web service account (often root).
Reads any configuration, credentials, and traffic metadata stored on the device, including Wi-Fi keys and admin passwords.
Modifies router configuration such as DNS servers, firewall rules, and firmware, enabling persistent traffic interception or redirection.
Crashes or bricks the device, taking the network segment behind it offline.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the VulDB advisory for any future fix, with the patched-image rebuild made available automatically the moment an upstream or community patch ships. Because the TEW-432BRP has been EOL since 2009 and the vendor has stated no fix will be issued, the practical guidance attached to the finding is to retire the device or apply compensating controls, including blocking inbound access to the web management interface, isolating the router on a dedicated network segment, restricting management to a trusted admin VLAN, and ensuring no low-privilege management accounts are exposed. For customers who opt into auto-remediation, any future rebuild will be regression-tested and a PR opened against affected workloads as soon as a fix becomes available.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

TRENDnet / TEW-432BRP
3.10B20

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References