| Title | TRENDnet TEW-713RE 1.02 OS Command Injection |
|---|
| Description | A pre-authentication command injection vulnerability exists in the formFSrvX handler of the Trendnet TEW-713RE firmware. The vulnerable endpoint /goformX/formFSrvX is exposed without any authentication and accepts a user-controlled parameter SZCMD, which is directly executed by the backend as a shell command.Because no authentication or session verification is enforced on the /goformX/formFSrvX endpoint, a remote unauthenticated attacker can send a single crafted HTTP request to execute arbitrary commands with root privileges. Successful exploitation allows full device compromise, including file creation, service manipulation, backdoor installation, and potential lateral movement within the network. |
|---|
| Source | ⚠️ https://pentagonal-time-3a7.notion.site/Command-Injection-Vulnerability-in-formFSrvX-of-Trendnet-TEW-713RE-2d1e5dd4c5a5801481abe7a944763d39 |
|---|
| User | Anonymous User |
|---|
| Submission | 12/22/2025 11:42 (4 months ago) |
|---|
| Moderation | 01/06/2026 17:28 (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 339721 [TRENDnet TEW-713RE 1.02 /goformX/formFSrvX SZCMD os command injection] |
|---|
| Points | 17 |
|---|