Skip to main content

TRENDnet TEW-635BRM EUVDEUVD-2026-43202

| CVE-2026-15480 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-07-12 VulDB GHSA-r87c-jrw7-v29r
7.4
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable web service with low-complexity overflow, but the device_name handler requires an authenticated low-privilege session (PR:L); code execution on the device yields high C/I/A with no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 12, 2026 - 06:23 vuln.today
CVSS changed
Jul 12, 2026 - 06:22 NVD
8.7 (HIGH) 7.4 (HIGH)

DescriptionCVE.org

A vulnerability was identified in Trendnet TEW-635BRM up to 1.00.03. This affects the function start_httpd of the file /sbin/rc of the component Web Service. Such manipulation of the argument device_name leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor explains: "We are unable to confirm if the vulnerability exists. This item has been EOL since 2011. We will make an official announcement of possible vulnerabilities, and recommend users to switch devices." This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Stack-based buffer overflow in the TRENDnet TEW-635BRM wireless router (firmware up to 1.00.03) lets an authenticated remote attacker overflow a fixed-size stack buffer through the device_name argument handled by the start_httpd function in /sbin/rc, potentially achieving arbitrary code execution on the device. Publicly available exploit code exists (VulDB), though it is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach router web management service
Delivery
Authenticate with low-privilege credentials
Exploit
Submit oversized device_name to start_httpd
Execution
Overflow stack buffer, overwrite return address
Persist
Execute arbitrary code on device
Impact
Pivot into internal network

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to reach the device's embedded web service and to hold low-level authenticated access (CVSS PR:L) sufficient to submit the device_name argument that the start_httpd function in /sbin/rc processes; the concrete trigger is supplying an over-long device_name value to that web configuration handler. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score is 8.7 (High) with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H, indicating network-reachable, low-complexity exploitation requiring low privileges (PR:L) and yielding high impact to confidentiality, integrity, and availability of the device itself (no scope change to other systems). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained low-privilege access to the router's web management interface (for example via default or weak credentials on an internet-exposed or LAN-adjacent device) submits a crafted device_name value that exceeds the target stack buffer processed by start_httpd, overwriting the saved return address and redirecting execution to injected shellcode. Because a public proof-of-concept is available on GitHub and attack complexity is low (AC:L), a moderately skilled attacker could reproduce full compromise of the device and pivot into the internal network.
Remediation No vendor-released patch identified at time of analysis, and none is expected because the TEW-635BRM has been EOL since 2011 - TRENDnet's own guidance is to switch to a supported device, which is the recommended primary remediation (decommission and replace the router). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct asset inventory to identify all TRENDnet TEW-635BRM wireless routers in production and document firmware versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43202 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy