{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/tew-635brm--1.00.03/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-15480"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["TEW-635BRM (\u003c= 1.00.03)"],"_cs_severities":["high"],"_cs_tags":["network","vulnerability","router","buffer-overflow","rce","eol"],"_cs_type":"advisory","_cs_vendors":["Trendnet"],"content_html":"\u003cp\u003eCVE-2026-15480 details a critical stack-based buffer overflow vulnerability affecting Trendnet TEW-635BRM router firmware versions up to 1.00.03. The flaw resides within the \u003ccode\u003estart_httpd\u003c/code\u003e function of the \u003ccode\u003e/sbin/rc\u003c/code\u003e component's Web Service. Threat actors can remotely exploit this vulnerability by sending specially crafted HTTP requests that manipulate the \u003ccode\u003edevice_name\u003c/code\u003e argument. Such manipulation leads to a buffer overflow, which can result in arbitrary code execution on the affected device. While a public exploit is available, the affected product has been End-of-Life (EOL) since 2011, meaning no official patches will be released. The vendor explicitly recommends that users replace these devices due to the confirmed vulnerability and lack of support. This vulnerability poses a significant risk to organizations still utilizing these legacy devices, as successful exploitation grants attackers full control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker sends a specially crafted HTTP request to the vulnerable Trendnet TEW-635BRM router.\u003c/li\u003e\n\u003cli\u003eThe HTTP request targets the device's Web Service component, which is responsible for handling web-based management.\u003c/li\u003e\n\u003cli\u003eThe attacker includes an overly long or malformed value in the \u003ccode\u003edevice_name\u003c/code\u003e argument within the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003estart_httpd\u003c/code\u003e function, located in the \u003ccode\u003e/sbin/rc\u003c/code\u003e file, processes the manipulated \u003ccode\u003edevice_name\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eDue to insufficient bounds checking, the function attempts to write the oversized input into a fixed-size buffer on the stack, leading to a stack-based buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow corrupts adjacent memory regions, allowing the attacker to overwrite critical data structures, including return addresses.\u003c/li\u003e\n\u003cli\u003eBy carefully controlling the overflow content, the attacker redirects the execution flow to their injected malicious code.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation results in arbitrary code execution with the privileges of the web service, granting the attacker full control over the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15480 grants unauthenticated remote attackers arbitrary code execution capabilities on affected Trendnet TEW-635BRM routers. Given that these devices are End-of-Life (EOL) and will not receive patches, any organization still using them faces a permanent and critical security risk. Attackers could gain complete control over the compromised router, enabling them to intercept or redirect network traffic, use the device as a pivot point into the internal network, launch further attacks, or incorporate the device into botnets. While no specific victim counts are provided, the public availability of an exploit means that any exposed, unreplaced device is a potential target.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eDecommission or Isolate Device:\u003c/strong\u003e Immediately decommission any Trendnet TEW-635BRM routers (CVE-2026-15480) given their End-of-Life status and the absence of patches. If decommissioning is not immediately feasible, isolate these devices from critical networks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReplace Hardware:\u003c/strong\u003e Replace all affected Trendnet TEW-635BRM routers with currently supported and patched network hardware.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-12T06:20:21Z","date_published":"2026-07-12T06:20:21Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15480/","summary":"CVE-2026-15480 describes a stack-based buffer overflow vulnerability in the Trendnet TEW-635BRM router firmware, specifically in the start_httpd function within the /sbin/rc component's Web Service, which can be exploited remotely by manipulating the 'device_name' argument, potentially leading to arbitrary code execution; an exploit is publicly available, but the product is End-of-Life (EOL) since 2011, and the vendor advises users to switch devices.","title":"Trendnet TEW-635BRM Web Service Stack-based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15480/"}],"language":"en","title":"CraftedSignal Threat Feed - TEW-635BRM (\u003c= 1.00.03)","version":"https://jsonfeed.org/version/1.1"}