CVE-2026-5355 identifies a remote OS command injection vulnerability in the Trendnet TEW-657BRM router, specifically version 1.00.1. The vulnerability resides in the vpn_drop function of the /setup.cgi script, where the policy_name parameter is improperly sanitized, allowing an attacker to inject arbitrary operating system commands. This injection occurs without requiring authentication or user interaction, making it remotely exploitable over the network. The vendor has confirmed that the TEW-657BRM product line was discontinued and reached end-of-life status in June 2011, over 14 years ago, and no patches or support are available. The CVSS 4.0 base score is 5.3, reflecting medium severity due to the ease of exploitation (network vector, low attack complexity, no privileges or user interaction needed) but limited impact scope (low confidentiality, integrity, and availability impact). Although no known exploits are currently active in the wild, the public disclosure of the vulnerability increases the likelihood of future exploitation attempts. The vulnerability could allow attackers to execute arbitrary commands on the device, potentially leading to device compromise, network pivoting, or disruption of VPN functionality. Due to the product's age and lack of vendor support, affected devices remain vulnerable unless mitigated by network controls or device replacement.

The primary impact of CVE-2026-5355 is the potential for remote attackers to execute arbitrary OS commands on the affected Trendnet TEW-657BRM routers. This can lead to full device compromise, allowing attackers to manipulate VPN configurations, intercept or redirect network traffic, or disrupt network availability. Confidentiality may be compromised if attackers gain access to sensitive VPN policies or network data. Integrity is at risk as attackers could alter device settings or inject malicious payloads. Availability could be affected if attackers disrupt VPN services or cause device crashes. Given the device is a network router with VPN capabilities, exploitation could facilitate lateral movement within an organization's network, increasing the risk of broader compromise. However, the impact is somewhat limited by the device's discontinued status and presumably low deployment in modern environments. Organizations still using this device in critical infrastructure or legacy systems face significant operational and security risks.

Since the vendor no longer supports the TEW-657BRM and no patches are available, organizations should prioritize the following mitigations: 1) Immediately identify and inventory any deployed TEW-657BRM devices within the network. 2) Replace affected devices with currently supported and patched hardware to eliminate the vulnerability. 3) If immediate replacement is not feasible, isolate the device on a segmented network with strict access controls to limit exposure to untrusted networks. 4) Disable remote management interfaces and VPN functionalities if not in use to reduce attack surface. 5) Monitor network traffic for unusual activity or command injection attempts targeting the /setup.cgi endpoint. 6) Employ network intrusion detection/prevention systems (IDS/IPS) with signatures for command injection patterns. 7) Educate network administrators about the risks of using unsupported legacy devices and enforce policies to phase them out. These steps go beyond generic advice by focusing on compensating controls and device lifecycle management.