PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10060 TRENDnet CVE debrief

A command injection vulnerability exists in the TRENDnet TEW-432BRP router firmware version 3.10B20. The vulnerability resides in the `formSetRoute` function within the `/goform/formSetRoute` endpoint, where improper sanitization of the `ip`, `mask`, and `gateway` parameters allows remote attackers to inject and execute arbitrary system commands. The vendor has explicitly stated that this product reached end-of-life in 2009 and will not receive patches. The CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and no user interaction, with partial impacts to confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with proof-of-concept materials available.

Vendor
TRENDnet
Product
TEW-432BRP
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations operating legacy TRENDnet TEW-432BRP routers; network administrators responsible for SOHO or small business infrastructure; security teams managing end-of-life equipment inventories; compliance officers tracking unsupported hardware in regulated environments.

Technical summary

The TRENDnet TEW-432BRP firmware 3.10B20 contains a command injection vulnerability in the `formSetRoute` function of `/goform/formSetRoute`. The `ip`, `mask`, and `gateway` parameters are passed to underlying system commands without adequate input validation or sanitization, enabling authenticated remote attackers to execute arbitrary commands with the privileges of the web server process. The product has been end-of-life since 2009; the vendor explicitly declines to provide fixes.

Defensive priority

low

Recommended defensive actions

  • Remove TRENDnet TEW-432BRP devices from production networks immediately; the vendor confirmed end-of-life status in 2009 with no remediation available.
  • Block or restrict access to the `/goform/formSetRoute` endpoint at network boundaries if device removal is not immediately feasible.
  • Implement network segmentation to isolate legacy router infrastructure from critical assets and user networks.
  • Monitor for anomalous traffic targeting router management interfaces, particularly HTTP requests to `/goform/formSetRoute` with suspicious parameter payloads.
  • Replace affected devices with actively supported router hardware from vendors with established security update programs.

Evidence notes

Vendor end-of-life statement confirms no remediation path. CVSS 4.0 vector from NVD source: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-77 (Improper Neutralization of Special Elements used in a Command) identified as applicable weakness enumerations.

Official resources

public