Skip to main content

TRENDnet TEW-821DAP EUVDEUVD-2026-26760

| CVE-2026-7606 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-05-02 VulDB
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
May 02, 2026 - 08:22 NVD
LOW MEDIUM
CVSS changed
May 02, 2026 - 08:22 NVD
3.7 (LOW) 6.3 (MEDIUM)
Analysis Generated
May 02, 2026 - 08:00 vuln.today
EUVD ID Assigned
May 02, 2026 - 07:30 euvd
EUVD-2026-26760
Analysis Generated
May 02, 2026 - 07:30 vuln.today
Patch released
May 02, 2026 - 07:30 nvd
Patch available
CVE Published
May 02, 2026 - 06:45 nvd
MEDIUM 6.3

DescriptionCVE.org

A weakness has been identified in TRENDnet TEW-821DAP 1.12B01. This issue affects the function find_hwid/new_gui_update_firmware of the component Firmware Update Handler. Executing a manipulation of the argument dest can lead to insufficient verification of data authenticity. The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Insufficient verification of data authenticity in the firmware update handler of TRENDnet TEW-821DAP 1.12B01 allows remote attackers to manipulate the dest argument during firmware updates, leading to integrity violations. The vulnerability requires high attack complexity and affects only end-of-life hardware (version 1.xR) discontinued 8 years ago. CVSS score is 3.7 (low) with integrity impact but no confidentiality or availability impact; no public exploit confirmed.

Technical ContextAI

The vulnerability resides in the find_hwid/new_gui_update_firmware component of the firmware update handler, a critical subsystem responsible for validating and applying firmware images to network devices. The flaw involves insufficient cryptographic verification (CWE-345) when processing the dest parameter, which likely controls the destination storage location or firmware image path during the update process. TRENDnet TEW-821DAP is a wireless access point/range extender that accepts firmware updates via network interface. The weakness allows attackers to bypass authenticity checks on firmware data, though the actual execution impact is limited by high attack complexity and the absence of confidentiality or availability breaches. The affected version 1.12B01 shipped exclusively with hardware revision 1.xR, a deprecated platform no longer maintained or sold.

RemediationAI

Vendor patch availability is confirmed per input data, though exact patched version number is not specified in available references. Users of the deprecated TRENDnet TEW-821DAP 1.xR hardware should obtain and apply the vendor-released patch through TRENDnet's support portal or GitHub repository (https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Auth.md). Since the product is end-of-life, vendor support is limited; device replacement with current-generation TRENDnet access points is recommended for organizations requiring ongoing security updates and support. If immediate patching is impossible, disable remote firmware update functionality via device administration interface (if available) and restrict network access to the device's management port (typically TCP/80 or 443) using firewall rules to prevent remote firmware manipulation attempts. Note that disabling remote updates trades convenience for security and leaves the device vulnerable if physical access becomes available.

Share

EUVD-2026-26760 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy