Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A flaw has been found in Trendnet TEW-657BRM 1.00.1. Affected by this vulnerability is the function vpn_connect of the file /setup.cgi. Executing a manipulation of the argument policy_name can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years ago. We no longer provide support for this product, so we are not able to confirm the vulnerabilities. We will make an announcement on our website's product support page and notify customers who registered their products with us." This vulnerability only affects products that are no longer supported by the maintainer.
AnalysisAI
Remote authenticated command injection in TrendNet TEW-657BRM 1.00.1 allows manipulation of the policy_name parameter in /setup.cgi vpn_connect function to achieve operating system command execution with limited impact. The affected router has been end-of-life since June 2011 and is no longer supported by the vendor; however, publicly available exploit code exists and the vulnerability demonstrates real command injection capability despite the legacy product status.
Technical ContextAI
The vulnerability exploits improper input validation in the vpn_connect function of /setup.cgi on the TrendNet TEW-657BRM wireless router. The flaw is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that the application fails to sanitize or escape user-supplied input before passing it to system command execution routines. The policy_name parameter is directly concatenated into an OS command without proper validation, allowing an authenticated attacker to inject arbitrary shell metacharacters and commands. The CPE cpe:2.3:a:trendnet:tew-657brm indicates the specific vulnerable router model across all versions below 1.00.1.
RemediationAI
No vendor-released patch identified at time of analysis, as the manufacturer discontinued the TEW-657BRM over 14 years ago and explicitly stated they cannot confirm or remediate vulnerabilities in this end-of-life product. Organizations operating this router should immediately plan its replacement with a current-generation supported model from TrendNet or an alternative vendor. If operational continuity is temporarily required, isolate the router to a dedicated network segment with strict access controls and disable remote management features. For detailed vulnerability context, refer to https://vuldb.com/vuln/354707 and the proof-of-concept documentation at https://github.com/panda666-888/vuls/blob/main/trendnet/tew-657brm/vpn_connect.md.
More in Tew 657Brm
View allStack-based buffer overflow in Trendnet TEW-657BRM 1.00.1 wireless router allows authenticated remote attackers to achie
Stack-based buffer overflow in Trendnet TEW-657BRM router firmware 1.00.1 allows authenticated remote attackers to achie
OS command injection in Trendnet TEW-657BRM 1.00.1 ping_test function allows authenticated remote attackers to execute a
Remote code execution via OS command injection in TrendNet TEW-657BRM 1.00.1 allows authenticated attackers to execute a
OS command injection in TrendNet TEW-657BRM 1.00.1 router allows authenticated remote attackers to execute arbitrary com
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18410
GHSA-j222-qjwr-c34g