CVE-2026-5184
Published: 31 March 2026
Summary
CVE-2026-5184 is a low-severity Injection (CWE-74) vulnerability in Trendnet Tew-713Re Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
A command injection vulnerability exists in the TRENDnet TEW-713RE wireless range extender up to firmware version 1.02. The flaw resides in an unspecified function within the /goform/setSysAdm endpoint, where unsanitized input supplied to the admuser argument is passed to a system command. The issue is tracked under CWE-74 and CWE-77 and carries a CVSS 4.0 score of 2.1.
An authenticated remote attacker can supply a crafted admuser value to execute arbitrary operating-system commands on the device. Because the attack requires only low privileges and no user interaction, an adversary who has obtained valid credentials or who can reach the web interface can achieve limited control over confidentiality, integrity, and availability of the affected extender. A publicly available proof-of-concept exploit has been posted on GitHub.
No vendor advisory, patch, or mitigation guidance has been issued; TRENDnet was notified prior to disclosure but did not respond. The public references consist solely of the exploit description and Vuldb entries.
EPSS for the CVE rose from a low baseline to a peak of 0.0141 on 2026-04-06 before receding, indicating measurable exploitation interest shortly after publication.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17335
Vulnerability details
A vulnerability was identified in TRENDnet TEW-713RE up to 1.02. The impacted element is an unknown function of the file /goform/setSysAdm. The manipulation of the argument admuser leads to command injection. The attack can be initiated remotely. The exploit is…
more
publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in web endpoint (/goform/setSysAdm) allows remote exploitation of public-facing application (T1190) or remote services (T1210) with low privileges to achieve arbitrary command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses command injection by requiring validation and sanitization of untrusted inputs like the 'admuser' argument in /goform/setSysAdm.
Mandates identification, reporting, and correction of flaws such as this command injection vulnerability through patching or other remediation.
Requires vulnerability scanning to identify and remediate this specific CVE in affected TRENDnet devices.