Skip to main content

Tew 657Brm CVE-2026-5353

| EUVDEUVD-2026-18408 LOW
OS Command Injection (CWE-78)
2026-04-02 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 07, 2026 - 17:22 vuln.today
Public exploit code
EUVD ID Assigned
Apr 02, 2026 - 16:30 euvd
EUVD-2026-18408
Analysis Generated
Apr 02, 2026 - 16:30 vuln.today
CVE Published
Apr 02, 2026 - 16:15 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was detected in Trendnet TEW-657BRM 1.00.1. Affected is the function ping_test of the file /setup.cgi. Performing a manipulation of the argument c4_IPAddr results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years ago. We no longer provide support for this product, so we are not able to confirm the vulnerabilities. We will make an announcement on our website's product support page and notify customers who registered their products with us." This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

OS command injection in Trendnet TEW-657BRM 1.00.1 ping_test function allows authenticated remote attackers to execute arbitrary commands via manipulation of the c4_IPAddr parameter in /setup.cgi. Publicly available exploit code exists. The device has been end-of-life since June 2011 and is no longer supported by the vendor, making patching infeasible for affected users.

Technical ContextAI

The vulnerability exploits improper input validation in the ping_test function of the Trendnet TEW-657BRM router's web interface (setup.cgi). The c4_IPAddr parameter is passed unsanitized to an underlying OS command execution routine, violating CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The affected device is a wireless router from the mid-2000s; the vulnerability allows command injection through a web-accessible CGI script requiring only low-privilege authentication. CPE cpe:2.3:a:trendnet:tew-657brm:*:*:*:*:*:*:*:* identifies all versions of this product line.

RemediationAI

No vendor-released patch is available, as the manufacturer has discontinued the product and ceased support. Organizations operating legacy Trendnet TEW-657BRM devices should immediately plan replacement with modern, actively-supported networking equipment. Until replacement is feasible, mitigate exposure by restricting network access to the device's management interface (restrict access to setup.cgi and port 80/443 via firewall rules) and disabling remote management if available. Do not rely on this device for production or security-sensitive networks. Additional information on the device's deprecated status is available from Trendnet's official product support page.

Share

CVE-2026-5353 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy