Command Injection Vulnerability in TRENDnet TEW-432BRP
CVE-2026-10180

5.3MEDIUM

Key Information:

Vendor: Trendnet
Status: Tew-432brp
Vendor: CVE Published:; 31 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-10180?

A command injection vulnerability exists in the TRENDnet TEW-432BRP router, specifically in the formSysCmd function located in the /goform/formSysCmd file. This vulnerability allows attackers to manipulate the sysCmd argument, potentially permitting remote command execution. As this product has been end-of-life (EOL) for over 15 years, TRENDnet has indicated that they cannot replicate or address this issue. Consequently, users of the TEW-432BRP should take immediate measures to secure their network, as this vulnerability could be exploited by malicious actors to compromise system integrity.

Affected Version(s)

TEW-432BRP 3.10B20

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-10180 - Proof of Concept

References

https://vuldb.com/vuln/367461

vdb-entrytechnical-description

https://vuldb.com/vuln/367461/cti

signaturepermissions-required

https://vuldb.com/cve/CVE-2026-10180

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 31, 2026
👾
Exploit known to exist
May 31, 2026
Vulnerability published
May 31, 2026
Vulnerability Reserved
May 30, 2026

Credit

pjq_Buoy (VulDB User)

VulDB CNA Team

CVE-2026-10180 Data

JSON

Trendnet