CVE-2025-65202 identifies a critical authenticated remote OS command injection vulnerability in the TRENDnet TEW-657BRM router firmware version 1.00.1. The vulnerability resides in the setup.cgi binary, which processes HTTP requests containing parameters "command", "todo", and "next_file". An attacker who has valid authentication credentials can craft malicious HTTP requests that inject arbitrary operating system commands. These commands execute with root privileges, granting full control over the router. This level of access allows attackers to manipulate device configurations, intercept or redirect network traffic, deploy persistent malware, or use the device as a pivot point for further network attacks. The vulnerability requires authentication, which limits exploitation to attackers who have obtained or guessed valid credentials. No public exploits or patches are currently available, and no CVSS score has been assigned yet. The vulnerability was published on November 26, 2025, with the CVE reserved shortly before on November 18, 2025. The absence of a CVSS score necessitates an independent severity assessment based on the impact and exploit conditions. The router model affected is commonly used in small to medium enterprise and home office environments, which may expose a broad range of organizations to risk if devices are not updated or properly secured.

For European organizations, exploitation of this vulnerability could lead to complete compromise of affected routers, resulting in loss of confidentiality, integrity, and availability of network communications. Attackers gaining root access can intercept sensitive data, modify traffic flows, or disrupt network services. This is particularly critical for organizations relying on these routers for perimeter security or VPN termination. The vulnerability could facilitate lateral movement within corporate networks, enabling attackers to reach critical internal systems. Additionally, compromised routers could be enlisted into botnets or used to launch further attacks, increasing the overall threat landscape. The impact is heightened in sectors such as finance, healthcare, government, and critical infrastructure, where network reliability and data protection are paramount. Given the authenticated nature of the exploit, the risk is contingent on credential compromise, which may occur via phishing, credential reuse, or insider threats. The lack of patches increases the window of exposure, emphasizing the need for immediate mitigation steps.

1. Immediately restrict access to the router's management interface to trusted networks only, preferably via VPN or isolated management VLANs. 2. Enforce strong, unique passwords and implement multi-factor authentication if supported to reduce the risk of credential compromise. 3. Monitor router logs and network traffic for unusual activities indicative of exploitation attempts. 4. Disable remote management features if not required, especially over the internet. 5. Apply firmware updates or patches from TRENDnet as soon as they become available; coordinate with the vendor for timelines if not yet released. 6. Consider replacing affected devices with models from vendors with a stronger security track record if patches are delayed. 7. Conduct regular vulnerability assessments and penetration tests focusing on network infrastructure devices. 8. Educate users and administrators on credential security best practices to prevent unauthorized access. 9. Implement network segmentation to limit the impact of a compromised router on critical systems. 10. Use intrusion detection/prevention systems to detect exploitation attempts targeting this vulnerability.