The vulnerability CVE-2026-5351 affects the Trendnet TEW-657BRM wireless router running firmware version 1.00.1. It is an OS command injection flaw located in the add_wps_client function within the /setup.cgi endpoint. The issue stems from insufficient input validation of the wl_enrolee_pin parameter, which is used during the WPS client enrollment process. An attacker can remotely send crafted requests to this CGI script, injecting arbitrary operating system commands that the device executes with elevated privileges. The attack vector requires no authentication or user interaction, making it remotely exploitable over the network. The vendor has confirmed the product is discontinued and unsupported since June 2011, and no patches or updates are available. The vulnerability has a CVSS 4.0 score of 5.3, indicating medium severity due to the moderate impact on confidentiality, integrity, and availability, combined with ease of exploitation. Although no known exploits have been observed in the wild, public exploit code exists, increasing the risk of future attacks. The lack of vendor support means affected devices remain vulnerable indefinitely unless replaced or mitigated through network controls. This vulnerability highlights the risks associated with legacy IoT and networking equipment that remains operational beyond its support lifecycle.

Organizations using the Trendnet TEW-657BRM router with vulnerable firmware face significant security risks. Successful exploitation allows remote attackers to execute arbitrary OS commands, potentially leading to full device compromise. This can result in unauthorized access to internal networks, interception or manipulation of network traffic, disruption of network availability, and use of the device as a pivot point for further attacks. Since the device is often deployed in small office or home office environments, attackers could gain footholds into corporate networks if these devices are connected to enterprise infrastructure. The lack of vendor support and patches means vulnerabilities cannot be remediated through firmware updates, increasing the likelihood of exploitation over time. The public availability of exploit code lowers the barrier for attackers, including less skilled threat actors. Overall, the vulnerability poses a moderate to high operational risk, particularly in environments where legacy hardware is still in use and network segmentation is weak or absent.

Given the device is discontinued and unsupported, the primary mitigation is to replace the Trendnet TEW-657BRM router with a modern, supported device that receives regular security updates. Until replacement is possible, organizations should isolate the vulnerable device on a separate network segment with strict firewall rules to limit inbound access to the /setup.cgi interface. Disable WPS functionality if configurable, as the vulnerability is tied to the WPS enrollment process. Monitor network traffic for unusual requests targeting the /setup.cgi endpoint or suspicious command injection patterns. Employ network intrusion detection systems (NIDS) with signatures for known exploit attempts. Educate users about the risks of legacy hardware and enforce asset management policies to identify and phase out unsupported devices. If replacement is delayed, consider deploying virtual patching via network security appliances to block exploitation attempts. Regularly review and update network segmentation and access controls to minimize exposure of vulnerable devices to untrusted networks.