Cyber Resilience

CVE-2026-5351

MediumPublic PoC

Published: 02 April 2026

Published
02 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0446 90.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-5351 is a medium-severity Command Injection (CWE-77) vulnerability in Trendnet Tew-657Brm Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

A weakness has been identified in the Trendnet TEW-657BRM router running firmware version 1.00.1. The issue resides in the add_wps_client function within /setup.cgi, where improper handling of the wl_enrolee_pin argument permits OS command injection. The flaw is remotely triggerable and is tracked under CWE-77 and CWE-78, with a CVSS 4.0 score of 5.3 reflecting limited impact under the supplied vector.

An authenticated attacker with network access can supply a crafted wl_enrolee_pin value to execute arbitrary operating-system commands on the device. Public exploit code has been released, enabling attackers to leverage the injection for unauthorized command execution on affected routers.

The vendor has stated that the TEW-657BRM reached end-of-life in June 2011 and receives no further support or patches; affected units remain exposed because no firmware updates are available.

The EPSS score rose from a low baseline of 0.0007 to a peak of 0.0106, indicating increased exploitation interest after disclosure. The device’s long-discontinued status and the public availability of working exploit material together elevate the practical risk for any remaining deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A weakness has been identified in Trendnet TEW-657BRM 1.00.1. This affects the function add_wps_client of the file /setup.cgi. This manipulation of the argument wl_enrolee_pin causes os command injection. The attack may be initiated remotely. The exploit has been made available…

more

to the public and could be used for attacks. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years ago. We no longer provide support for this product, so we are not able to confirm the vulnerabilities. We will make an announcement on our website's product support page and notify customers who registered their products with us." This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

OS command injection via authenticated web interface on router enables exploitation of public-facing application (T1190) and network device CLI command execution (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5355Same product: Trendnet Tew-657Brm
CVE-2026-5353Same product: Trendnet Tew-657Brm
CVE-2026-5354Same product: Trendnet Tew-657Brm
CVE-2026-5352Same product: Trendnet Tew-657Brm
CVE-2026-5350Same product: Trendnet Tew-657Brm
CVE-2026-5349Same product: Trendnet Tew-657Brm
CVE-2026-7609Same vendor: Trendnet
CVE-2025-15471Same vendor: Trendnet
CVE-2025-15472Same vendor: Trendnet
CVE-2025-15137Same vendor: Trendnet

Affected Assets

trendnet
tew-657brm firmware
1.00.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Prohibits use of unsupported EOL components like the Trendnet TEW-657BRM router, directly mitigating unpatchable OS command injection vulnerabilities.

prevent

Requires validation and sanitization of inputs like the wl_enrolee_pin argument in /setup.cgi to prevent OS command injection exploits.

preventrecover

Mandates identification and remediation of flaws like CVE-2026-5351, leading to patching, reconfiguration, or decommissioning of affected EOL systems.

References