Skip to main content

TRENDnet TEW-635BRM CVE-2026-15481

| EUVDEUVD-2026-43203 HIGH
Command Injection (CWE-77)
2026-07-12 VulDB GHSA-wq7g-mf6c-75vq
7.4
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable admin interface with low-complexity injection requiring an authenticated low-privilege session (PR:L); root-level command execution yields full C/I/A impact with unchanged scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 12, 2026 - 06:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 12, 2026 - 06:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 12, 2026 - 06:22 vuln.today
cvss_changed
CVSS changed
Jul 12, 2026 - 06:22 NVD
8.7 (HIGH) 7.4 (HIGH)
Analysis Generated
Jul 12, 2026 - 06:20 vuln.today

DescriptionCVE.org

A security flaw has been discovered in Trendnet TEW-635BRM up to 1.00.03. This vulnerability affects the function ipoa_test of the file /sbin/rc of the component IPoA WAN Connection Setup. Performing a manipulation of the argument ipoa_ipaddr results in command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor explains: "We are unable to confirm if the vulnerability exists. This item has been EOL since 2011. We will make an official announcement of possible vulnerabilities, and recommend users to switch devices." This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Command injection in the TRENDnet TEW-635BRM wireless router (firmware through 1.00.03) lets an authenticated remote attacker inject OS commands via the ipoa_ipaddr argument handled by the ipoa_test function in /sbin/rc during IPoA WAN connection setup. Publicly available exploit code exists (published via VulDB and a researcher write-up), and because the device runs its control logic as a privileged system process, successful injection yields full command execution on the router. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach router admin interface (LAN or exposed WAN)
Delivery
Authenticate with low-privilege/admin credentials
Exploit
Submit IPoA WAN setup with crafted ipoa_ipaddr
Execution
Trigger command injection in ipoa_test (/sbin/rc)
Persist
Execute arbitrary OS commands on router
Impact
Pivot to internal network or alter routing/DNS

Vulnerability AssessmentAI

Exploitation Exploitation requires the device to be a TRENDnet TEW-635BRM (firmware ≤1.00.03) and requires the attacker to reach and submit the IPoA WAN Connection Setup, injecting into the ipoa_ipaddr argument that ipoa_test in /sbin/rc processes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H, base 7.4) indicates a network-reachable, low-complexity attack requiring some privilege (PR:L) that fully compromises the device's confidentiality, integrity, and availability, with E:P (Proof-of-Concept) maturity matching the reported public exploit. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the router's administration interface - on the LAN, or on a unit whose remote management is exposed - authenticates (or uses default/weak credentials) and submits the IPoA WAN configuration form with a crafted ipoa_ipaddr value containing shell metacharacters. When /sbin/rc's ipoa_test processes the field, the injected commands execute with the router's privileges, giving a foothold to intercept traffic, rewrite DNS/firewall rules, or pivot into the internal network. …
Remediation No vendor-released patch identified at time of analysis - the device is EOL since 2011 and TRENDnet has stated it will not confirm or fix the issue, recommending users replace the hardware, so the primary remediation is device replacement with a currently supported router. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all TRENDnet TEW-635BRM routers in production and immediately restrict administrative access; disable remote management if enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15481 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy