Network-Device — CraftedSignal Threat Feed

TRENDnet TEW-821DAP Firmware Update Buffer Overflow Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 08:16:28 +0000

CVE-2026-7607 describes a buffer overflow vulnerability affecting TRENDnet TEW-821DAP version 1.12B01. The vulnerability resides within the auto_update_firmware function of the Firmware Update component. A remote attacker can exploit this flaw by sending a crafted request with a maliciously oversized ‘str’ argument, leading to a buffer overflow. Although the CVSS score is high, the vendor has stated that the affected product reached its end-of-life 8 years ago and is no longer supported, significantly reducing the risk of widespread exploitation. This lack of support means no patches or updates will be provided, leaving vulnerable devices exposed if still in operation.

Attack Chain

Attacker identifies a vulnerable TRENDnet TEW-821DAP device running firmware version 1.12B01.
Attacker sends a specially crafted network packet to the device, targeting the Firmware Update component.
The packet includes a malicious ‘str’ argument exceeding the buffer’s allocated size in the auto_update_firmware function.
The device attempts to process the firmware update, copying the oversized ‘str’ argument into the undersized buffer.
The buffer overflow overwrites adjacent memory regions, potentially including critical program data or execution pointers.
Attacker hijacks control of the execution flow by overwriting the return address with the address of malicious code.
The device executes the attacker’s arbitrary code with the privileges of the Firmware Update component.
The attacker gains control of the device, potentially enabling further malicious activities.

Impact

Successful exploitation of this buffer overflow vulnerability could allow an attacker to gain complete control over the affected TRENDnet TEW-821DAP device. This could lead to unauthorized network access, data theft, or the device being used as a bot in a larger attack. Given that the affected product is EOL, the number of actively exploitable devices is likely low, but any remaining devices are at significant risk since no patch will be available.

Recommendation

Identify and isolate any TRENDnet TEW-821DAP devices running firmware version 1.12B01 on your network. Consider decommissioning them if possible due to the end-of-life status and lack of security updates.
Monitor network traffic for suspicious packets targeting the Firmware Update component of TRENDnet devices. Implement intrusion detection rules to identify and block potentially malicious requests (see example Sigma rule below).
Since this is a buffer overflow on a network device, monitor for unusual process creation or network connections originating from TRENDnet devices.
Deploy the provided Sigma rule to detect attempts to exploit the vulnerability by monitoring for unusual data lengths in network traffic related to firmware updates.

D-Link DWM-222W USB Wi-Fi Adapter Brute-Force Protection Bypass Vulnerability

hello@craftedsignal.io — Fri, 24 Apr 2026 04:16:23 +0000

The D-Link DWM-222W USB Wi-Fi Adapter is susceptible to a brute-force protection bypass vulnerability (CVE-2026-6947). This flaw allows an attacker on an adjacent network to circumvent the built-in login attempt limits. By repeatedly attempting different credentials without being blocked, an attacker can successfully brute-force the password and gain unauthorized access to the device. This vulnerability poses a significant risk as it enables attackers to potentially reconfigure the device, intercept network traffic, or use the compromised device as a pivot point for further attacks within the network. Successful exploitation leads to full control over the D-Link Wi-Fi adapter.

Attack Chain

The attacker locates a vulnerable D-Link DWM-222W USB Wi-Fi Adapter within adjacent network range.
The attacker initiates network communication with the device, targeting its login interface, likely via HTTP or HTTPS.
The attacker sends a series of login requests with different username and password combinations.
Due to the brute-force protection bypass, the device does not enforce login attempt limits or implement account lockout mechanisms.
The attacker continues sending login requests until the correct credentials are found.
Upon successful authentication, the attacker gains administrative access to the D-Link DWM-222W USB Wi-Fi Adapter’s configuration interface.
The attacker reconfigures the device to their specifications potentially enabling remote access.

Impact

Successful exploitation of CVE-2026-6947 allows an attacker to gain complete control over the D-Link DWM-222W USB Wi-Fi Adapter. This can lead to unauthorized access to the network it connects to, data interception, or the device being used as a launchpad for further attacks within the network. The impact is significant, as it bypasses standard security measures and grants full administrative privileges to the attacker.

Recommendation

Monitor network traffic for excessive authentication attempts targeting the D-Link DWM-222W USB Wi-Fi Adapter to detect potential brute-force attacks. Deploy the Sigma rule Detect Excessive Authentication Attempts to identify such activity.
Implement network segmentation to limit the impact of a compromised D-Link DWM-222W USB Wi-Fi Adapter.
If possible, disable remote management interfaces on the D-Link DWM-222W USB Wi-Fi Adapter to reduce the attack surface.

H3C Magic B0 Router Buffer Overflow Vulnerability (CVE-2026-6560)

hello@craftedsignal.io — Sun, 19 Apr 2026 07:16:05 +0000

A critical buffer overflow vulnerability (CVE-2026-6560) has been identified in H3C Magic B0 routers, specifically in versions up to 100R002. The vulnerability resides within the Edit_BasicSSID function of the /goform/aspForm file. An attacker can remotely exploit this flaw by crafting malicious input to the param argument, leading to arbitrary code execution on the device. Public exploits are reportedly available, increasing the risk of widespread exploitation. The vendor was notified about this vulnerability, but has not provided any response or patch as of April 2026. This poses a significant risk to users of the affected H3C Magic B0 routers.

Attack Chain

The attacker identifies a vulnerable H3C Magic B0 router running firmware version 100R002 or earlier.
The attacker crafts a malicious HTTP POST request targeting the /goform/aspForm endpoint.
The POST request includes the Edit_BasicSSID function call.
The param argument within the POST data contains a specially crafted string exceeding the buffer size allocated in the Edit_BasicSSID function.
The buffer overflow occurs when the Edit_BasicSSID function processes the oversized param argument without proper bounds checking.
The overflow overwrites adjacent memory regions, potentially including the return address on the stack.
The attacker gains control of the program execution flow.
The attacker executes arbitrary code on the router, potentially gaining full control of the device, exfiltrating data, or using it as a pivot point for further attacks.

Impact

Successful exploitation of this buffer overflow vulnerability (CVE-2026-6560) allows a remote attacker to execute arbitrary code on the affected H3C Magic B0 router. This could lead to a complete compromise of the device, including the ability to modify router settings, intercept network traffic, and potentially gain access to connected devices on the network. Given the availability of public exploits, widespread exploitation is possible, potentially impacting a large number of home and small business networks.

Recommendation

Monitor web server logs for suspicious POST requests to /goform/aspForm with unusually long param arguments (refer to the Attack Chain section).
Implement rate limiting for requests to /goform/aspForm to mitigate potential exploitation attempts (refer to the Attack Chain section).
Deploy the following Sigma rule to detect exploitation attempts targeting the vulnerable Edit_BasicSSID function.
Block network traffic originating from or destined to H3C Magic B0 devices until a patch is available.

Totolink A7100RU OS Command Injection Vulnerability (CVE-2026-5677)

hello@craftedsignal.io — Mon, 06 Apr 2026 19:16:30 +0000

A critical OS command injection vulnerability, tracked as CVE-2026-5677, has been identified in Totolink A7100RU routers running firmware version 7.4cu.2313_b20191024. The vulnerability resides within the CsteSystem function of the /cgi-bin/cstecgi.cgi file. By manipulating the resetFlags argument, a remote attacker can inject and execute arbitrary operating system commands on the affected device. This exploit is publicly available, increasing the risk of widespread exploitation. Successful exploitation allows an attacker to gain complete control over the device, potentially leading to data theft, denial of service, or use of the router as part of a botnet.

Attack Chain

The attacker identifies a vulnerable Totolink A7100RU router with firmware version 7.4cu.2313_b20191024.
The attacker sends a crafted HTTP request to the /cgi-bin/cstecgi.cgi endpoint.
The HTTP request includes the resetFlags argument with a malicious payload containing OS commands.
The CsteSystem function processes the request without proper sanitization of the resetFlags argument.
The injected OS commands are executed with the privileges of the web server process.
The attacker gains arbitrary code execution on the router’s operating system.
The attacker can then install persistent backdoors, modify router settings, or use the device for further attacks.

Impact

Successful exploitation of CVE-2026-5677 allows a remote attacker to execute arbitrary commands on vulnerable Totolink A7100RU routers. This can lead to complete compromise of the device, enabling attackers to steal sensitive information, disrupt network services, or use the router as a launchpad for other attacks, such as botnet participation or man-in-the-middle attacks. Given the widespread use of Totolink routers, a successful large-scale exploitation could affect thousands of users.

Recommendation

Deploy the Sigma rule Detect Totolink A7100RU CsteSystem Command Injection Attempt to your SIEM to identify malicious requests to the /cgi-bin/cstecgi.cgi endpoint.
Inspect web server logs for suspicious POST requests to /cgi-bin/cstecgi.cgi containing shell metacharacters in the resetFlags parameter to detect exploitation attempts (webserver logs).

Hirschmann EagleSDV Denial-of-Service Vulnerability (CVE-2022-4986)

hello@craftedsignal.io — Thu, 02 Apr 2026 22:16:23 +0000

Hirschmann EagleSDV devices are susceptible to a denial-of-service vulnerability, identified as CVE-2022-4986. This vulnerability allows an attacker to crash the device by establishing TLS sessions using the outdated TLS 1.0 or TLS 1.1 protocols. Successful exploitation results in service unavailability, impacting network operations reliant on the affected device. The vulnerability stems from improper handling of older TLS versions during session establishment. Given the critical role EagleSDV devices play in network infrastructure, this vulnerability poses a significant risk to organizations that have not yet patched their systems or disabled the deprecated protocols.

Attack Chain

The attacker identifies a vulnerable Hirschmann EagleSDV device accessible over the network.
The attacker crafts a TLS connection request using TLS 1.0.
The attacker sends the crafted TLS 1.0 connection request to the target EagleSDV device.
The EagleSDV device attempts to process the TLS 1.0 handshake.
Due to the vulnerability, the device encounters an error during the session establishment phase of the TLS handshake.
This error leads to uncontrolled resource consumption (CWE-400) within the device’s TLS processing module.
The resource exhaustion causes the device’s operating system to become unstable.
The device crashes, resulting in a denial-of-service condition.

Impact

Successful exploitation of CVE-2022-4986 leads to a denial-of-service condition on the affected Hirschmann EagleSDV device. This can disrupt network services and cause downtime. The number of affected devices and sectors is unknown, but the impact could be significant for organizations relying on these devices for critical infrastructure.

Recommendation

Disable TLS 1.0 and TLS 1.1 on all Hirschmann EagleSDV devices to mitigate the vulnerability described in CVE-2022-4986.
Monitor network traffic for attempts to establish TLS connections using TLS 1.0 and TLS 1.1 to identify potential exploitation attempts using a network monitoring solution (network_connection log source).

Linksys MR9600 SmartConnect OS Command Injection (CVE-2026-4558)

hello@craftedsignal.io — Mon, 23 Mar 2026 12:00:00 +0000

CVE-2026-4558 is a critical vulnerability affecting Linksys MR9600 routers, specifically version 2.0.6.206937. The flaw resides within the smartConnectConfigure function of the SmartConnect.lua file. Attackers can remotely inject OS commands by manipulating the configApSsid, configApPassphrase, srpLogin, or srpPassword arguments. Publicly available exploits exist, increasing the risk of exploitation. The vendor was notified but has not yet provided a patch or response, leaving users…

Totolink A8000RU OS Command Injection Vulnerability (CVE-2026-7154)

hello@craftedsignal.io — Tue, 23 Jan 2024 12:00:00 +0000

CVE-2026-7154 describes a critical vulnerability affecting the Totolink A8000RU router, specifically version 7.1cu.643_b20200521. The vulnerability is located in the setAdvancedInfoShow function within the /cgi-bin/cstecgi.cgi file, which handles CGI requests. An attacker can remotely exploit this flaw by manipulating the tty_server argument, leading to OS command injection. This means an unauthenticated attacker can potentially execute arbitrary commands on the underlying operating system of the router. The exploit is publicly available, increasing the likelihood of exploitation in the wild. Successful exploitation allows complete control over the device.

Attack Chain

The attacker identifies a vulnerable Totolink A8000RU router with the affected firmware version exposed to the internet.
The attacker crafts a malicious HTTP POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
The crafted request includes the setAdvancedInfoShow function call with a manipulated tty_server argument containing an OS command injection payload.
The webserver receives the crafted request and passes the tty_server argument to the vulnerable function.
The vulnerable function executes the attacker-supplied OS command due to insufficient input validation and sanitization.
The injected command executes with the privileges of the web server process, typically root.
The attacker gains arbitrary code execution on the router’s operating system.
The attacker can then use this access to install malware, change router settings, or use the router as a pivot point for further attacks within the network.

Impact

Successful exploitation of CVE-2026-7154 allows a remote, unauthenticated attacker to execute arbitrary commands on the affected Totolink A8000RU router. This can lead to complete compromise of the device, potentially affecting all connected devices on the network. An attacker could steal sensitive information, disrupt network services, or use the compromised router as a botnet node. Given the public availability of the exploit, mass exploitation is a significant risk.

Recommendation

Monitor web server logs for suspicious POST requests to /cgi-bin/cstecgi.cgi with unusual characters or command-like syntax in the tty_server parameter, as this could indicate exploitation attempts (see example Sigma rule below).
Implement network intrusion detection system (IDS) rules to detect attempts to exploit this vulnerability by monitoring HTTP traffic for malicious payloads in the tty_server parameter.
Apply available patches or firmware updates provided by Totolink to address CVE-2026-7154 when they become available.