CVE-2021-28846

Name of the Vulnerable Software and Affected Versions: TRENDnet TEW-755AP version 1.11B03 TRENDnet TEW-755AP2KAC version 1.11B03 TRENDnet TEW-821DAP2KAC version 1.11B03 TRENDnet TEW-825DAP version 1.11B03

Description: A Format String issue exists, which could let a remote malicious user cause a denial of service due to a logic bug at address 0x40dcd0 when calling fprintf with "%s: key len = %d, too long " format. The two variables seem to be put in the wrong order. The issue could be triggered by sending the POST request to "apply cgi" with a long and unknown key in the request body.

Recommendations: For TRENDnet TEW-755AP version 1.11B03, consider disabling the apply cgi endpoint until a patch is available. For TRENDnet TEW-755AP2KAC version 1.11B03, consider disabling the apply cgi endpoint until a patch is available. For TRENDnet TEW-821DAP2KAC version 1.11B03, consider disabling the apply cgi endpoint until a patch is available. For TRENDnet TEW-825DAP version 1.11B03, consider disabling the apply cgi endpoint until a patch is available. As a temporary workaround, avoid using the apply cgi endpoint with a long and unknown key in the request body until the issue is resolved.