CVE-2024-37642
published 2024-06-14CVE-2024-37642: TRENDnet TEW-814DAP v1_(FW1.01B01) was discovered to contain a command injection vulnerability via the ipv4_ping, ipv6_ping parameter at /formSystemCheck .
PriorityP269critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
11.37%
95.4th percentile
TRENDnet TEW-814DAP v1_(FW1.01B01) was discovered to contain a command injection vulnerability via the ipv4_ping, ipv6_ping parameter at /formSystemCheck .
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trendnet | tew-814dap_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/boafrm/formSystemCheck
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TrendNet formSystemCheck Multiple Parameters Command Injection Attempt (CVE-2024-37642, CVE-2023-51835)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/boafrm/formSystemCheck"; http.request_body; content:"admin_ping.htm"; fast_pattern; pcre:"/ipv[46]\x5fping\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,pentagonal-time-3a7.notion.site/TRENDnet-TEW-822DRE-Ping-command-injection-2c8e5dd4c5a58084a3b0dcf927a755d6; reference:cve,2024-37642; reference:cve,2023-51835; classtype:attempted-admin; sid:2066749; rev:1; metadata:affected_product TrendNet, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_14, cve CVE_2024_37642, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets HTTP POST requests to the exact URI /boafrm/formSystemCheck with a body length of exactly 23 bytes for the URI component; match on POST method and this path.
- →Request body must contain the string 'admin_ping.htm' as a fast-pattern anchor for the attack payload.
- →Injection is carried via the ipv4_ping or ipv6_ping parameters; look for shell metacharacters (semicolon, newline, backtick, pipe, dollar sign) in URL-encoded or raw form within those parameter values.
- →Vulnerable endpoint is /formSystemCheck on TRENDnet TEW-814DAP v1 (FW1.01B01); the injectable parameters are ipv4_ping and ipv6_ping. ↗
- →Traffic is expected in plaintext (TLS state: plaintext); deploy detection at the network perimeter and internally.
- ·The Snort/Suricata rule (sid:2066749) uses a URI bsize of exactly 23, matching '/boafrm/formSystemCheck' precisely; ensure your sensor is configured to inspect HTTP request bodies on inbound traffic to network devices ($HOME_NET).
- ·The PCRE covers both URL-encoded and raw forms of the shell metacharacters (;, newline, backtick, |, $); ensure your IDS/IPS PCRE engine supports these escape sequences and that HTTP body inspection is enabled.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS TrendNet formSystemCheck Multiple Parameters Command Injection Attempt (CVE-2024-37642, CVE-2023-51835)
suricata·2026-01-14·CVSS 6.8
CVE-2024-37642 [MEDIUM] ET WEB_SPECIFIC_APPS TrendNet formSystemCheck Multiple Parameters Command Injection Attempt (CVE-2024-37642, CVE-2023-51835)
ET WEB_SPECIFIC_APPS TrendNet formSystemCheck Multiple Parameters Command Injection Attempt (CVE-2024-37642, CVE-2023-51835)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TrendNet formSystemCheck Multiple Parameters Command Injection Attempt (CVE-2024-37642, CVE-2023-51835)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/boafrm/formSystemCheck"; http.request_body; content:"admin_ping.htm"; fast_pattern; pcre:"/ipv[46]\x5fping\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,pentagonal-time-3a7.notion.site/TRENDnet-TEW-822DRE-Ping-command-injection-2c8e5dd4c5a58084a3b0dcf927a755d6; reference:cve,2024-37642; reference:cve,2023-51835; classtype:attempted-admin; sid:20667
No public exploits indexed.
No writeups or analysis indexed.
2024-06-14
Published