How is CVE-2026-10160 exploited?

Network reachability (required): The attacker must reach the router's web management interface over the network (AV:N). Authentication (required): A low-privilege account on the device is sufficient to invoke the vulnerable handler (PR:L). Victim interaction (not-required): No user action is needed; the attacker drives the request directly against /goform/formSetEnableWizard. Attack complexity (info): AC:L indicates a reliable exploit with no race conditions or environmental prerequisites, and a public proof-of-concept already exists.

What is the impact of CVE-2026-10160?

Executes attacker-controlled code in the context of the router's web server, typically running with full device privileges. Reads stored configuration including Wi-Fi keys, admin credentials, and routing state. Modifies firmware configuration such as DNS servers, port forwards, and firewall rules to pivot deeper into the LAN. Crashes or bricks the router, dropping all network connectivity behind it.

Back to search

HIGHCVE-2026-10160Published 2026-05-31Modified 2026-05-31CNA VulDB

CVE-2026-10160: TRENDnet TEW-432BRP formSetEnableWizard stack-based overflow

A security vulnerability has been detected in TRENDnet TEW-432BRP 3.10B20. Affected by this issue is the function formSetEnableWizard of the file /goform/formSetEnableWizard. Such manipulation of the argument start_wizard leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow exists in the formSetEnableWizard handler (/goform/formSetEnableWizard) of TRENDnet TEW-432BRP 3.10B20, triggered by a crafted start_wizard argument. The flaw is reachable over the network and requires only a low-privilege account, and successful exploitation lets an attacker corrupt stack memory to execute code or crash the device, fully compromising confidentiality, integrity, and availability of the router. The device has been end-of-life since 2009 and the vendor has stated it will not issue a fix; HarborGuard tracks the advisory and will surface a patched rebuild if upstream ever publishes one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE record is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that bundle TRENDnet firmware or the affected goform binary.

Available

Triage

Triage is available with the published CVSS v4.0 score of 8.7 (High) applied automatically, then reweighted against each customer's compliance policy (for example, exposure of consumer-grade router firmware in production) before routing to the responsible inbox inside the customer org.

Available

Patch

Because no fix has been published and the vendor has declared the product end-of-life, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment any upstream or community fix appears; until then, the triage record stays open with compensating-control guidance attached.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the router's web management interface over the network (AV:N).
AuthenticationRequired
A low-privilege account on the device is sufficient to invoke the vulnerable handler (PR:L).
Victim interactionNot required
No user action is needed; the attacker drives the request directly against /goform/formSetEnableWizard.
Attack complexityDetail
AC:L indicates a reliable exploit with no race conditions or environmental prerequisites, and a public proof-of-concept already exists.

Blast Radius

Executes attacker-controlled code in the context of the router's web server, typically running with full device privileges.
Reads stored configuration including Wi-Fi keys, admin credentials, and routing state.
Modifies firmware configuration such as DNS servers, port forwards, and firewall rules to pivot deeper into the LAN.
Crashes or bricks the router, dropping all network connectivity behind it.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the VulDB advisory for any upstream or community patch, with automatic rebuild availability the moment a fix is published. Because the vendor has confirmed the TEW-432BRP will not receive a fix, the triage record ships with compensating-control suggestions, including restricting management-interface reachability via network policy, blocking inbound access to /goform/* from untrusted segments, rotating any credentials previously entered on the device, and planning hardware replacement given the 15-year EOL status. For environments with auto-remediation enabled, any future patched image would be rebuilt, regression-tested, and proposed via PR against affected workloads automatically.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

TRENDnet / TEW-432BRP
3.10B20

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References