https://feed.craftedsignal.io/products/tew-432brp-3.10b20/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 30 May 2026 16:24:25 +0000https://feed.craftedsignal.io/briefs/2026-05-trendnet-buffer-overflow/Sat, 30 May 2026 16:24:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-trendnet-buffer-overflow/A stack-based buffer overflow vulnerability (CVE-2026-10123) exists in TRENDnet TEW-432BRP version 3.10B20 within the formSetDomainFilter function, allowing a remote attacker to execute arbitrary code by manipulating specific arguments in a request to /goform/formSetDomainFilter.A stack-based buffer overflow vulnerability, identified as CVE-2026-10123, has been discovered in TRENDnet TEW-432BRP router, version 3.10B20. The vulnerability resides in the formSetDomainFilter function within the /goform/formSetDomainFilter file. This flaw allows a remote attacker to execute arbitrary code on the device by carefully crafting malicious input to the blocked_domain, permitted_domain, blocked_domain_list, or permitted_domain_list arguments. The vendor has stated that the affected product has been end-of-life (EOL) since 2009 and will not be providing a fix. This vulnerability poses a significant risk to users who are still operating this outdated and unsupported device, as it could be easily exploited due to the public availability of the exploit.

Attack Chain

1. The attacker identifies a vulnerable TRENDnet TEW-432BRP router running firmware version 3.10B20.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/formSetDomainFilter endpoint.
3. Within the POST request, the attacker manipulates the blocked_domain, permitted_domain, blocked_domain_list, or permitted_domain_list parameters.
4. The crafted input exceeds the buffer size allocated for these parameters within the formSetDomainFilter function.
5. The overflow overwrites adjacent memory on the stack, including the return address.
6. The overwritten return address is replaced with the address of malicious code controlled by the attacker.
7. The formSetDomainFilter function completes its execution and attempts to return.
8. Instead of returning to the intended location, the execution jumps to the attacker-controlled malicious code, achieving remote code execution.

Impact

Successful exploitation of this vulnerability (CVE-2026-10123) allows a remote attacker to execute arbitrary code on the vulnerable TRENDnet TEW-432BRP device. This could lead to complete compromise of the router, allowing the attacker to eavesdrop on network traffic, modify router settings, or use the device as a bot in a larger attack. Given that the product has been EOL since 2009, users still running this device are unlikely to receive security updates, leaving them permanently vulnerable. The impact is considered high due to the ease of exploitation and the potential for significant damage.

Recommendation

• Implement network segmentation to isolate vulnerable TRENDnet TEW-432BRP devices if they cannot be decommissioned.
• Deploy the Sigma rule Detect TRENDnet TEW-432BRP Buffer Overflow Attempt to identify suspicious requests to the /goform/formSetDomainFilter endpoint.
• Monitor web server logs for abnormally long values in the blocked_domain, permitted_domain, blocked_domain_list, and permitted_domain_list parameters within requests to /goform/formSetDomainFilter.

]]>highadvisorycvebuffer overflowremote code executionnetwork devicehttps://feed.craftedsignal.io/briefs/2026-05-trendnet-stack-overflow/Fri, 29 May 2026 15:18:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-trendnet-stack-overflow/TRENDnet TEW-432BRP version 3.10B20 is vulnerable to a stack-based buffer overflow via manipulation of the ip/mask/gateway arguments in the formSetRoute function of the /goform/formSetRoute file, enabling remote attackers to potentially execute arbitrary code.CVE-2026-10062 describes a stack-based buffer overflow vulnerability affecting TRENDnet TEW-432BRP router, version 3.10B20. The vulnerability resides within the formSetRoute function of the /goform/formSetRoute file. By manipulating the ip, mask, and gateway arguments, a remote attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. This vulnerability is remotely exploitable and has a public exploit available. However, TRENDnet has stated that the affected product has been End-of-Life (EOL) since 2009 and will not be patched. Defenders need to identify and isolate instances of this legacy hardware.

Attack Chain

1. The attacker identifies a vulnerable TRENDnet TEW-432BRP router running firmware version 3.10B20.
2. The attacker sends a crafted HTTP POST request to the /goform/formSetRoute endpoint.
3. The POST request includes oversized values for the ip, mask, and/or gateway parameters.
4. The formSetRoute function processes the request without proper bounds checking.
5. The oversized input overflows a stack buffer allocated for these parameters.
6. The buffer overflow overwrites adjacent memory on the stack, including the return address.
7. The function returns, transferring control to the attacker-controlled address.
8. The attacker executes arbitrary code on the router, potentially gaining complete control.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected TRENDnet TEW-432BRP router. Given the device’s End-of-Life status since 2009, a patch is not available. Compromise of the router could lead to network disruption, data theft, or the router being used as a botnet node. While the precise number of vulnerable devices is unknown, any organization still using this model is at significant risk.

Recommendation

• Identify and isolate any TRENDnet TEW-432BRP 3.10B20 devices on your network (see affected products).
• If these devices are business-critical, consider placing them behind a firewall with strict access control lists and intrusion prevention systems.
• Deploy the Sigma rules to detect potential exploitation attempts against the /goform/formSetRoute endpoint.
• Monitor web server logs (category: webserver) for unusual activity targeting the /goform/formSetRoute path.
• Consider network segmentation to limit the potential impact of a compromised device.

]]>highadvisorycvebuffer-overflowrouter