CVE-2026-10120 TRENDnet CVE debrief

Who should care

Organizations with legacy network infrastructure, SOHO environments with aging equipment, managed service providers maintaining client router fleets, and security teams responsible for IoT/OT asset inventory and lifecycle management.

Technical summary

The `formSetFirewallRule` function in TRENDnet TEW-432BRP firmware 3.10B20 fails to properly bounds-check the `firewall_name` parameter before copying it to a stack-allocated buffer. An authenticated or unauthenticated remote attacker (depending on device configuration) can send a crafted HTTP request to `/goform/formSetFirewallRule` with an oversized `firewall_name` value, triggering stack corruption and potential arbitrary code execution. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/E:P) reflects network exploitability with public exploit availability and high impacts to confidentiality, integrity, and availability.

Defensive priority

critical

Recommended defensive actions

• Immediately inventory all TRENDnet TEW-432BRP devices and remove from production networks
• Block or restrict access to /goform/formSetFirewallRule at network perimeter if device retirement is not immediately feasible
• Implement network segmentation to isolate any remaining EOL devices from critical assets
• Monitor for suspicious traffic targeting goform endpoints on legacy TRENDnet device IP ranges
• Replace with actively supported router hardware from vendor with security update commitment

Evidence notes

Vulnerability disclosed via VulDB with public proof-of-concept. Vendor confirmed EOL status and no remediation planned. CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and no user interaction.

Official resources