How is CVE-2026-10162 exploited?

Network reachability (required): The attacker must reach the device's HTTP management interface over the network (AV:N). Authentication (required): A low-privileged account on the device is required to invoke formSetPassword (PR:L). Victim interaction (not-required): No user or administrator action is needed; the attacker drives the request directly (UI:N). Attack complexity (info): Attack complexity is low and the published exploit is reliable, with no race conditions or environmental prerequisites (AC:L).

What is the impact of CVE-2026-10162?

Overwrites the stack frame of the formSetPassword handler, enabling arbitrary code execution on the router with the privileges of the web server process. Reads and exfiltrates stored device configuration, including credentials and network settings (VC:H). Modifies device configuration such as admin passwords, DNS, and firewall rules, giving the attacker persistent control of traffic (VI:H). Crashes or bricks the router, taking the network segment behind it offline (VA:H).

Back to search

HIGHCVE-2026-10162Published 2026-05-31Modified 2026-05-31CNA VulDB

CVE-2026-10162: TRENDnet TEW-432BRP formSetPassword stack-based overflow

A flaw has been found in TRENDnet TEW-432BRP 3.10B20. This vulnerability affects the function formSetPassword of the file /goform/formSetPassword. Executing a manipulation of the argument webpage can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been published and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow exists in the formSetPassword handler at /goform/formSetPassword in TRENDnet TEW-432BRP firmware 3.10B20, triggered through a manipulated webpage argument. The flaw is reachable over the network and requires only a low-privileged account on the device, with a public exploit already in circulation. Successful exploitation corrupts the stack and can lead to remote code execution or a device crash, with full impact to confidentiality, integrity, and availability. The product has been end-of-life since 2009 and the vendor has stated no fix will be issued; HarborGuard tracks the advisory and will surface a patched rebuild if one is ever published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that embed TRENDnet firmware or related components.

Available

Triage

Triage is available with the CVSS v4.0 score of 8.7 (High) applied automatically and weighted against each customer's compliance policy, then routed to the appropriate security or platform inbox inside the customer organization.

Available

Patch

Because the vendor has declared the product end-of-life with no fix planned, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment any upstream or community fix is published; in the meantime, compensating-control guidance is surfaced on the finding.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's HTTP management interface over the network (AV:N).
AuthenticationRequired
A low-privileged account on the device is required to invoke formSetPassword (PR:L).
Victim interactionNot required
No user or administrator action is needed; the attacker drives the request directly (UI:N).
Attack complexityDetail
Attack complexity is low and the published exploit is reliable, with no race conditions or environmental prerequisites (AC:L).

Blast Radius

Overwrites the stack frame of the formSetPassword handler, enabling arbitrary code execution on the router with the privileges of the web server process.
Reads and exfiltrates stored device configuration, including credentials and network settings (VC:H).
Modifies device configuration such as admin passwords, DNS, and firewall rules, giving the attacker persistent control of traffic (VI:H).
Crashes or bricks the router, taking the network segment behind it offline (VA:H).

How HarborGuard Handles This

Available on HarborGuard: continuous tracking of the advisory with automatic re-check on every ingest cycle, so that any future community or vendor fix triggers a patched-image rebuild and, for environments with auto-remediation enabled, a regression-tested PR opened against affected workloads. Because the device is vendor-declared end-of-life with no fix forthcoming, the finding also surfaces compensating-control guidance: isolate the management interface behind a network policy, restrict egress from the device's network segment, disable remote administration, and plan hardware replacement, since a public exploit is already in circulation against an unauthenticated-adjacent attack surface.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

TRENDnet / TEW-432BRP
3.10B20

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References