CVE-2026-5353
Published: 02 April 2026
Summary
CVE-2026-5353 is a medium-severity Command Injection (CWE-77) vulnerability in Trendnet Tew-657Brm Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits the use of unsupported system components like this EOL router that cannot be patched for the OS command injection vulnerability.
Requires validation of inputs such as the c4_IPAddr argument to prevent OS command injection in the ping_test function.
Mandates identification and remediation of flaws like this command injection, leading to patching or retirement of the affected EOL product.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via public-facing web CGI (/setup.cgi) on a network device (router) directly enables exploitation of public-facing applications (T1190) and execution of commands via Network Device CLI or Unix Shell (T1059.008).
NVD Description
A vulnerability was detected in Trendnet TEW-657BRM 1.00.1. Affected is the function ping_test of the file /setup.cgi. Performing a manipulation of the argument c4_IPAddr results in os command injection. Remote exploitation of the attack is possible. The exploit is now…
more
public and may be used. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years ago. We no longer provide support for this product, so we are not able to confirm the vulnerabilities. We will make an announcement on our website's product support page and notify customers who registered their products with us." This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2026-5353 is an OS command injection vulnerability (CWE-77, CWE-78) in the ping_test function of the /setup.cgi file within Trendnet TEW-657BRM version 1.00.1. Manipulation of the c4_IPAddr argument allows attackers to inject arbitrary operating system commands, enabling remote exploitation.
Attackers with low privileges (PR:L), such as authenticated users, can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 base score of 6.3. The exploit is publicly available.
The vendor has confirmed that the affected product was discontinued and reached end-of-life on June 23, 2011—over 14 years ago—and receives no support. As a result, no patches or fixes are provided, and the vendor cannot confirm the vulnerability details. They plan to post an announcement on their product support page and notify registered customers. This issue only affects unsupported products.
Notable context includes the public availability of the exploit, as documented in references such as the GitHub repository and VulDB entries, increasing risk for any remaining deployments of this legacy router.
Details
- CWE(s)