TRENDnet TEW-432BRP Stack-Based Buffer Overflow Vulnerability (CVE-2026-10123)

A stack-based buffer overflow vulnerability, identified as CVE-2026-10123, has been discovered in TRENDnet TEW-432BRP router, version 3.10B20. The vulnerability resides in the formSetDomainFilter function within the /goform/formSetDomainFilter file. This flaw allows a remote attacker to execute arbitrary code on the device by carefully crafting malicious input to the blocked_domain, permitted_domain, blocked_domain_list, or permitted_domain_list arguments. The vendor has stated that the affected product has been end-of-life (EOL) since 2009 and will not be providing a fix. This vulnerability poses a significant risk to users who are still operating this outdated and unsupported device, as it could be easily exploited due to the public availability of the exploit.

Attack Chain

1. The attacker identifies a vulnerable TRENDnet TEW-432BRP router running firmware version 3.10B20.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/formSetDomainFilter endpoint.
3. Within the POST request, the attacker manipulates the blocked_domain, permitted_domain, blocked_domain_list, or permitted_domain_list parameters.
4. The crafted input exceeds the buffer size allocated for these parameters within the formSetDomainFilter function.
5. The overflow overwrites adjacent memory on the stack, including the return address.
6. The overwritten return address is replaced with the address of malicious code controlled by the attacker.
7. The formSetDomainFilter function completes its execution and attempts to return.
8. Instead of returning to the intended location, the execution jumps to the attacker-controlled malicious code, achieving remote code execution.

Impact

Successful exploitation of this vulnerability (CVE-2026-10123) allows a remote attacker to execute arbitrary code on the vulnerable TRENDnet TEW-432BRP device. This could lead to complete compromise of the router, allowing the attacker to eavesdrop on network traffic, modify router settings, or use the device as a bot in a larger attack. Given that the product has been EOL since 2009, users still running this device are unlikely to receive security updates, leaving them permanently vulnerable. The impact is considered high due to the ease of exploitation and the potential for significant damage.

Recommendation

• Implement network segmentation to isolate vulnerable TRENDnet TEW-432BRP devices if they cannot be decommissioned.
• Deploy the Sigma rule Detect TRENDnet TEW-432BRP Buffer Overflow Attempt to identify suspicious requests to the /goform/formSetDomainFilter endpoint.
• Monitor web server logs for abnormally long values in the blocked_domain, permitted_domain, blocked_domain_list, and permitted_domain_list parameters within requests to /goform/formSetDomainFilter.