How is CVE-2026-10161 exploited?

Network reachability (required): The attacker must reach the router's HTTP management interface over the network. Authentication (required): A low-privilege account on the device's web UI is sufficient to invoke the vulnerable handler. Victim interaction (not-required): No user action on the victim side is needed; the request can be sent directly to the endpoint. Attack complexity (info): Attack complexity is low and a public exploit exists, making the overflow reliable in practice.

What is the impact of CVE-2026-10161?

Executes attacker-controlled code in the context of the router's web server process, which typically runs with full device privileges. Reads and exfiltrates stored credentials, WPA keys, and routing or DHCP configuration held by the device. Modifies firewall rules, DNS settings, and persisted configuration to pivot or intercept traffic on the LAN. Crashes the HTTP service or the device itself, taking the network segment offline.

Back to search

HIGHCVE-2026-10161Published 2026-05-31Modified 2026-05-31CNA VulDB

CVE-2026-10161: TRENDnet TEW-432BRP formResetStatistic stack-based overflow

A vulnerability was detected in TRENDnet TEW-432BRP 3.10B20. This affects the function formResetStatistic of the file /goform/formResetStatistic. Performing a manipulation of the argument status_statistic results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow in the formResetStatistic handler of TRENDnet TEW-432BRP 3.10B20 routers, reached by manipulating the status_statistic argument sent to /goform/formResetStatistic. The flaw is exploitable over the network and requires only a low-privilege account on the device's web interface; a public exploit exists. Successful exploitation corrupts the stack of the embedded HTTP server, enabling code execution, configuration tampering, and denial of service on the router. The device has been end-of-life since 2009 and the vendor will not issue a fix; HarborGuard tracks the advisory for any future patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against router firmware components and embedded web stacks in customer registries and pipelines. Coverage extends to custom-built images that vendor or repackage TRENDnet firmware artifacts.

Available

Triage

Triage is available with the CVSS v4.0 score of 8.7 (High) carried into each customer's risk view and weighted against their compliance policy, so EOL networking gear flagged under hardware-lifecycle rules surfaces with the right urgency. Findings route to the inbox configured for network-device or firmware ownership within each customer organization.

Available

Patch

Because no upstream fix exists and the vendor has declared the product permanently EOL, HarborGuard re-checks the advisory on every ingest cycle and will make a patched rebuild available the moment any third-party or community fix is published. Until then, the finding remains open with compensating-control guidance attached.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the router's HTTP management interface over the network.
AuthenticationRequired
A low-privilege account on the device's web UI is sufficient to invoke the vulnerable handler.
Victim interactionNot required
No user action on the victim side is needed; the request can be sent directly to the endpoint.
Attack complexityDetail
Attack complexity is low and a public exploit exists, making the overflow reliable in practice.

Blast Radius

Executes attacker-controlled code in the context of the router's web server process, which typically runs with full device privileges.
Reads and exfiltrates stored credentials, WPA keys, and routing or DHCP configuration held by the device.
Modifies firewall rules, DNS settings, and persisted configuration to pivot or intercept traffic on the LAN.
Crashes the HTTP service or the device itself, taking the network segment offline.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the VulDB advisory with automatic ingestion of any future fix, plus compensating-control suggestions appropriate for an EOL device, including restricting management-interface reachability to a dedicated admin VLAN, blocking WAN-side access to /goform endpoints, rotating any credentials that have ever been used on the device, and planning replacement with a supported router. For environments with auto-remediation enabled, the moment an upstream or community patch becomes available a rebuilt firmware image and a PR against affected workloads will be generated automatically; until then the finding remains open with the lifecycle-replacement recommendation attached.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

TRENDnet / TEW-432BRP
3.10B20

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References