Skip to main content

TRENDnet TEW-821DAP CVE-2026-7608

| EUVDEUVD-2026-26767 LOW
OS Command Injection (CWE-78)
2026-05-02 VulDB
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Generated
May 02, 2026 - 09:30 vuln.today
Severity Changed
May 02, 2026 - 09:22 NVD
MEDIUM LOW
CVSS changed
May 02, 2026 - 09:22 NVD
5.5 (MEDIUM) 2.0 (LOW)
PoC Detected
May 02, 2026 - 09:16 vuln.today
Public exploit code
EUVD ID Assigned
May 02, 2026 - 09:00 euvd
EUVD-2026-26767
Analysis Generated
May 02, 2026 - 09:00 vuln.today
CVE Published
May 02, 2026 - 08:45 nvd
LOW 2.0

DescriptionCVE.org

A vulnerability was detected in TRENDnet TEW-821DAP up to 1.12B01. The affected element is the function tools_diagnostic. The manipulation results in os command injection. The exploit is now public and may be used. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

OS command injection in TRENDnet TEW-821DAP up to firmware version 1.12B01 allows authenticated local attackers to execute arbitrary commands via the tools_diagnostic function. The vulnerability affects only end-of-life hardware (v1.xR) discontinued 8 years ago and no longer receiving vendor support. Exploit code is publicly available, but real-world risk is severely constrained by the authentication requirement (PR:L), local network access (AV:A), and the product's obsolete status with no active install base.

Technical ContextAI

The vulnerability resides in the tools_diagnostic function within the TRENDnet TEW-821DAP wireless access point firmware. CWE-78 identifies this as a classic OS command injection flaw where user-supplied input is passed unsanitized to a shell command interpreter. The attack vector is adjacent (AV:A), meaning an attacker must be on the same network segment as the device. The affected CPE cpe:2.3:a:trendnet:tew-821dap:*:*:*:*:*:*:*:* indicates all versions up to 1.12B01 are vulnerable. The function likely constructs system commands dynamically from diagnostic parameters without proper input validation or escaping, allowing injection of pipe (|), semicolon (;), or backtick (`) characters to chain arbitrary commands.

RemediationAI

No vendor-released patch is available - TRENDnet confirmed the affected hardware (v1.xR) reached end-of-life status 8 years ago and is no longer supported. Organizations operating these devices should prioritize decommissioning and replacement with current-generation TRENDnet or alternative wireless access points. Interim compensating controls for devices that cannot be immediately retired include: (1) Restrict network access to the management interface by configuring host-based firewall rules or network segmentation - block inbound connections to the management port (typically HTTP/HTTPS, port 80/443) except from authorized administrative subnets; (2) Change default or weak administrative credentials to strong, unique passwords and disable remote management features if supported; (3) Physically isolate the device on a dedicated VLAN with restricted ingress/egress rules, preventing lateral movement from compromised client devices. Note these controls do not eliminate the vulnerability but reduce the likelihood of exploitation by authenticated attackers with network adjacency.

Share

CVE-2026-7608 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy