CVE-2026-10161 TRENDnet CVE debrief

Who should care

Organizations still operating TRENDnet TEW-432BRP routers; network administrators responsible for legacy embedded device inventory; security teams managing IoT/OT network segments with EOL equipment.

Technical summary

The TRENDnet TEW-432BRP 3.10B20 firmware contains a stack-based buffer overflow (CWE-121/CWE-119) in the `formResetStatistic` function of `/goform/formResetStatistic`. The `status_statistic` parameter lacks proper bounds validation, allowing an attacker to overwrite the stack. The attack is remotely exploitable with low complexity and requires low privileges. The vendor confirmed the product has been end-of-life since 2009 with no remediation path.

Defensive priority

critical

Recommended defensive actions

• Immediately remove TRENDnet TEW-432BRP devices from production networks; no patch will be issued due to 15-year EOL status.
• Block or restrict access to `/goform/formResetStatistic` at network boundaries if device retirement is not immediately feasible.
• Monitor network traffic for requests to `/goform/formResetStatistic` containing unusually large or malformed `status_statistic` values.
• Inventory all TRENDnet TEW-432BRP deployments and prioritize replacement with actively supported routing hardware.
• Review network segmentation to ensure EOL devices are isolated from critical assets and cannot be reached from untrusted networks.

Evidence notes

The vulnerability was published to NVD on 2026-05-31. The vendor confirmed EOL status with no remediation planned. CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and no user interaction needed. Public exploit availability is indicated by the 'E:P' (Exploit: Proof-of-concept) metric in the CVSS vector.

Official resources