CVE-2026-5354
Published: 02 April 2026
Summary
CVE-2026-5354 is a medium-severity Command Injection (CWE-77) vulnerability in Trendnet Tew-657Brm Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates untrusted inputs like the policy_name argument in vpn_connect to prevent OS command injection exploitation.
Prohibits or replaces unsupported EOL components such as the Trendnet TEW-657BRM firmware vulnerable to this unpatchable command injection flaw.
Establishes processes to identify, report, and remediate flaws like this CVE through mitigation strategies including isolation or decommissioning since patching is unavailable.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing web CGI (/setup.cgi) enables T1190 (Exploit Public-Facing Application) for remote exploitation and T1059.004 (Unix Shell) for arbitrary OS command execution.
NVD Description
A flaw has been found in Trendnet TEW-657BRM 1.00.1. Affected by this vulnerability is the function vpn_connect of the file /setup.cgi. Executing a manipulation of the argument policy_name can lead to os command injection. The attack can be executed remotely.…
more
The exploit has been published and may be used. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years ago. We no longer provide support for this product, so we are not able to confirm the vulnerabilities. We will make an announcement on our website's product support page and notify customers who registered their products with us." This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2026-5354 is an OS command injection vulnerability (CWE-77, CWE-78) in the vpn_connect function of the /setup.cgi file within Trendnet TEW-657BRM firmware version 1.00.1. Manipulation of the policy_name argument allows arbitrary command execution. The issue carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on April 2, 2026.
The vulnerability can be exploited remotely by attackers with low privileges (PR:L), such as authenticated users, over the network with low complexity and no user interaction required. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing command injection to execute operating system commands on the affected device.
Vendor advisories indicate the product has been discontinued and reached end-of-life on June 23, 2011—over 14 years ago—with no ongoing support. Trendnet states it cannot confirm the vulnerability and will not provide patches, but plans to announce details on its product support page and notify registered customers.
An exploit has been publicly disclosed, and the vulnerability exclusively affects these unsupported products. No evidence of widespread real-world exploitation is noted in available references.
Details
- CWE(s)