Cyber Resilience

CVE-2026-5355

MediumPublic PoC

Published: 02 April 2026

Published
02 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0478 90.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-5355 is a medium-severity Command Injection (CWE-77) vulnerability in Trendnet Tew-657Brm Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-7 (Boundary Protection).

Deeper analysis

A vulnerability has been identified in the Trendnet TEW-657BRM router running firmware version 1.00.1. The issue resides in the vpn_drop function within the /setup.cgi file, where improper handling of the policy_name argument permits OS command injection. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 5.3.

An authenticated remote attacker can supply a crafted policy_name value to execute arbitrary operating system commands on the device. Publicly available proof-of-concept code demonstrates that the attack can be performed over the network without user interaction, potentially allowing an adversary to alter device configuration, exfiltrate data, or disrupt service.

The vendor has stated that the TEW-657BRM reached end-of-life status in June 2011 and receives no further support or patches. No firmware updates or official mitigations are available; the vendor intends only to post a notice on its product support page and notify registered owners.

EPSS for the CVE rose from a low baseline to a recorded peak of 0.0106, indicating increased exploitation interest after public disclosure of the proof-of-concept.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability has been found in Trendnet TEW-657BRM 1.00.1. Affected by this issue is the function vpn_drop of the file /setup.cgi. The manipulation of the argument policy_name leads to os command injection. The attack is possible to be carried out…

more

remotely. The exploit has been disclosed to the public and may be used. The vendor confirms, that "[t]he product in question (...) has been discontinued and end of life since June 23, 2011, that is more than 14 years ago. We no longer provide support for this product, so we are not able to confirm the vulnerabilities. We will make an announcement on our website's product support page and notify customers who registered their products with us." This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

OS command injection in web CGI (/setup.cgi) on public-facing router web interface directly enables T1190 (Exploit Public-Facing Application). Exploitation grants arbitrary OS command execution on network device, facilitating T1059.008 (Network Device CLI).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5351Same product: Trendnet Tew-657Brm
CVE-2026-5353Same product: Trendnet Tew-657Brm
CVE-2026-5354Same product: Trendnet Tew-657Brm
CVE-2026-5352Same product: Trendnet Tew-657Brm
CVE-2026-5350Same product: Trendnet Tew-657Brm
CVE-2026-5349Same product: Trendnet Tew-657Brm
CVE-2026-7609Same vendor: Trendnet
CVE-2025-15471Same vendor: Trendnet
CVE-2025-15472Same vendor: Trendnet
CVE-2025-15137Same vendor: Trendnet

Affected Assets

trendnet
tew-657brm firmware
1.00.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires disabling or removing unsupported EOL system components like the Trendnet TEW-657BRM to eliminate exposure to this unpatchable OS command injection vulnerability.

prevent

Information input validation on the policy_name argument in the vpn_drop function of /setup.cgi directly prevents OS command injection by rejecting malformed or malicious inputs.

prevent

Boundary protection at network interfaces blocks remote access to the vulnerable /setup.cgi endpoint, stopping exploitation over the network.

References