Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was determined in TRENDnet TEW-713RE up to 1.02. The affected element is the function sub_421494 of the file /goform/addRouting. Executing a manipulation of the argument dest can lead to command injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Command injection in TRENDnet TEW-713RE firmware up to version 1.02 allows authenticated remote attackers to execute arbitrary commands via manipulation of the dest parameter in the /goform/addRouting function. The vulnerability has a CVSS score of 6.3 and publicly available exploit code exists; the vendor has not responded to early disclosure attempts, leaving affected devices without an official patch.
Technical ContextAI
The vulnerability resides in the sub_421494 function within the /goform/addRouting endpoint of TRENDnet TEW-713RE router firmware. This endpoint processes routing configuration requests and fails to properly validate or sanitize the dest parameter before passing it to shell command execution, creating a CWE-77 (Improper Neutralization of Special Elements used in a Command) condition. Attackers can inject shell metacharacters and command separators to break out of the intended command context and execute arbitrary system commands with the privileges of the router's web service process. The attack vector is network-based but requires authenticated access (PR:L per CVSS vector), meaning the attacker must first obtain valid router credentials.
RemediationAI
No vendor-released patch identified at time of analysis. TRENDnet has not responded to early disclosure notifications regarding this vulnerability. Organizations operating TEW-713RE devices should consider implementing network segmentation to restrict access to the router's administrative interface, enforce strong authentication credentials to limit credential compromise risk, and monitor for exploitation attempts targeting the /goform/addRouting endpoint. Users should review TRENDnet's support page for any available firmware updates or consider upgrading to a newer router model if this device is critical to network operations. A detailed technical breakdown of the vulnerability is available at https://github.com/panda666-888/vuls/blob/main/trendnet/tew-713re/addRouting.md.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17331
GHSA-rqfv-fqvg-7p3j