CVE-2026-5354

MediumPublic PoC

Published: 02 April 2026

Published

02 April 2026

Modified

07 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0038 59.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw has been found in Trendnet TEW-657BRM 1.00.1. Affected by this vulnerability is the function vpn_connect of the file /setup.cgi. Executing a manipulation of the argument policy_name can lead to os command injection. The attack can be executed remotely.…

The exploit has been published and may be used. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years ago. We no longer provide support for this product, so we are not able to confirm the vulnerabilities. We will make an announcement on our website's product support page and notify customers who registered their products with us." This vulnerability only affects products that are no longer supported by the maintainer.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates untrusted inputs like the policy_name argument in vpn_connect to prevent OS command injection exploitation.

SA-22 Unsupported System Components good match

prevent

Prohibits or replaces unsupported EOL components such as the Trendnet TEW-657BRM firmware vulnerable to this unpatchable command injection flaw.

SI-2 Flaw Remediation partial match

prevent

Establishes processes to identify, report, and remediate flaws like this CVE through mitigation strategies including isolation or decommissioning since patching is unavailable.

Security SummaryAI

CVE-2026-5354 is an OS command injection vulnerability (CWE-77, CWE-78) in the vpn_connect function of the /setup.cgi file within Trendnet TEW-657BRM firmware version 1.00.1. Manipulation of the policy_name argument allows arbitrary command execution. The issue carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on April 2, 2026.

The vulnerability can be exploited remotely by attackers with low privileges (PR:L), such as authenticated users, over the network with low complexity and no user interaction required. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing command injection to execute operating system commands on the affected device.

Vendor advisories indicate the product has been discontinued and reached end-of-life on June 23, 2011—over 14 years ago—with no ongoing support. Trendnet states it cannot confirm the vulnerability and will not provide patches, but plans to announce details on its product support page and notify registered customers.

An exploit has been publicly disclosed, and the vulnerability exclusively affects these unsupported products. No evidence of widespread real-world exploitation is noted in available references.

Details

CWE(s): CWE-77 CWE-78

Affected Products

trendnet

tew-657brm firmware

1.00.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

OS command injection in public-facing web CGI (/setup.cgi) enables T1190 (Exploit Public-Facing Application) for remote exploitation and T1059.004 (Unix Shell) for arbitrary OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/panda666-888/vuls/blob/main/trendnet/tew-657brm/vpn_connect.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/submit/781568
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354707
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354707/cti
Permissions Required, VDB Entry · cna@vuldb.com