A critical remote command injection vulnerability, identified as CVE-2025-15471, has been discovered in multiple TRENDnet products. This flaw allows a remote, unauthenticated attacker to execute arbitrary commands on the affected devices, potentially leading to a complete system compromise. Given that a public exploit is available and the vendor has been unresponsive, this vulnerability poses a significant and immediate risk to network security.

This vulnerability is an OS command injection flaw within an unspecified function of the /goformX/formFSrvX file. An unauthenticated, remote attacker can send a specially crafted request to this endpoint manipulating the SZCMD argument. By injecting operating system commands into this argument, the attacker can force the device to execute them with the privileges of the web server process, leading to a full compromise of the device.

With a CVSS score of 9.8, this vulnerability is of critical severity. Successful exploitation grants an attacker complete control over the affected TRENDnet device. This could result in severe business consequences, including the theft of sensitive network traffic, disruption of network services, and using the compromised device as a pivot point to launch further attacks against the internal corporate network. Compromised devices could also be absorbed into a botnet for use in large-scale malicious activities like DDoS attacks.

Immediate Action: Update affected TRENDnet devices to the latest available firmware version to patch the vulnerability. In parallel, immediately begin to monitor for exploitation attempts by reviewing device and network access logs for any signs of compromise as detailed below.

Proactive Monitoring: Security teams should actively monitor web server logs on affected devices for any requests to the /goformX/formFSrvX endpoint. Specifically, look for requests where the SZCMD argument contains suspicious characters or clear shell commands (e.g., |, &, ;, wget, curl, /bin/sh). Monitor for unusual outbound traffic originating from these devices, which could indicate communication with a command-and-control server.

Compensating Controls: If patching is not immediately feasible, implement the following controls:

• Restrict access to the device's web management interface to a trusted, internal network segment. Do not expose the management interface directly to the internet.
• Deploy a Web Application Firewall (WAF) or Intrusion Prevention System (IPS) with rules to detect and block malicious requests targeting the /goformX/formFSrvX endpoint and the SZCMD parameter.
• Implement network segmentation to limit the potential "blast radius" should a device be compromised.

Public Exploit Available: true

Given the critical severity (CVSS 9.8), remote exploitability, and the availability of a public exploit, this vulnerability requires immediate attention. The lack of vendor response means organizations cannot rely on a timely patch. It is strongly recommended that organizations identify all affected TRENDnet devices and apply the firmware update if one becomes available. If a patch is not available, the compensating controls listed above, particularly restricting management interface access from the internet, must be implemented immediately. Due to the high risk, organizations should also prepare a plan to replace these devices with supported hardware if the vendor remains unresponsive.