CVE-2026-5355
Published: 02 April 2026
Description
A vulnerability has been found in Trendnet TEW-657BRM 1.00.1. Affected by this issue is the function vpn_drop of the file /setup.cgi. The manipulation of the argument policy_name leads to os command injection. The attack is possible to be carried out…
more
remotely. The exploit has been disclosed to the public and may be used. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years ago. We no longer provide support for this product, so we are not able to confirm the vulnerabilities. We will make an announcement on our website's product support page and notify customers who registered their products with us." This vulnerability only affects products that are no longer supported by the maintainer.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires disabling or removing unsupported EOL system components like the Trendnet TEW-657BRM to eliminate exposure to this unpatchable OS command injection vulnerability.
Information input validation on the policy_name argument in the vpn_drop function of /setup.cgi directly prevents OS command injection by rejecting malformed or malicious inputs.
Boundary protection at network interfaces blocks remote access to the vulnerable /setup.cgi endpoint, stopping exploitation over the network.
Security SummaryAI
CVE-2026-5355 is an OS command injection vulnerability affecting the Trendnet TEW-657BRM router running firmware version 1.00.1. The issue resides in the vpn_drop function within the /setup.cgi file, where manipulation of the policy_name argument enables command injection. Classified under CWE-77 and CWE-78, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on April 2, 2026.
The vulnerability can be exploited remotely by an attacker with low privileges over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling arbitrary command execution on the affected device.
Vendor advisories indicate that the TEW-657BRM product reached end-of-life on June 23, 2011, over 14 years ago, and is no longer supported. Trendnet states they cannot confirm the vulnerability due to lack of support but plans to announce it on their product support page and notify registered customers. No patches or mitigations are available, as the product only affects unsupported devices.
An exploit for this vulnerability has been publicly disclosed, including details on GitHub and VulDB references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in web CGI (/setup.cgi) on public-facing router web interface directly enables T1190 (Exploit Public-Facing Application). Exploitation grants arbitrary OS command execution on network device, facilitating T1059.008 (Network Device CLI).