CVE-2026-1137 - Vulnerability Details

- UTT 进取 520W formWebAuthGlobalConfig strcpy buffer overflow

Description

A vulnerability was detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formWebAuthGlobalConfig. Performing a manipulation results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-01-19

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a buffer overflow caused by an unsafe strcpy call in the formWebAuthGlobalConfig handler. The flaw can be triggered by sending an oversized input, which may allow the attacker to overwrite memory boundaries and potentially execute arbitrary code, granting full control over the device. The flaw is captured by CWE-119 and CWE-120 and the public exploit indicates that the attack can be performed remotely.

Affected Systems

This issue affects the UTT 进取 520W router, specifically firmware version 1.7.7-180627. The CPE entries list the hardware SKU 520w and the associated firmware. Any device running this firmware is vulnerable; earlier versions may not be affected, but operators should verify their specific build numbers.

Risk and Exploitability

The CVSS score of 8.7 reflects high severity, and the EPSS score of less than 1% indicates a low probability of widespread exploitation at this time, although the presence of a publicly available exploit means that targeted attacks are feasible. The vulnerability is not yet included in the CISA KEV catalog, but remote attackers can leverage the overflow by sending crafted HTTP requests to the affected endpoint without authentication, implying that the attack surface is broad and the damage potential is significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

UTT

进取 520W

affected

Version	Status	Constraints
`1.7.7-180627`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:utt:520w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:utt:520w:3.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Utt	520w	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor-released firmware update that includes a fix for the formWebAuthGlobalConfig overflow.
Until a patch is available, isolate the device from the internet or restrict inbound traffic to the web management interface using a firewall or ACL.
Configure the router to enforce strict input length checks or use a runtime sandbox that limits buffer sizes for the affected endpoint.
Monitor the device’s logs for anomalous requests to /goform/formWebAuthGlobalConfig and investigate any suspicious activity promptly.

Generated by OpenCVE AI on April 18, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00125.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/cymiao1978/cve/blob/main/new/32.md
https://vuldb.com/?ctiid.341728
https://vuldb.com/?id.341728
https://vuldb.com/?submit.735296

History

Wed, 04 Feb 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Utt 520w Firmware
CPEs		cpe:2.3:h:utt:520w:3.0:::::::* cpe:2.3:o:utt:520w_firmware::::::::
Vendors & Products		Utt 520w Firmware

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 19 Jan 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Utt Utt 520w
Vendors & Products		Utt Utt 520w

Mon, 19 Jan 2026 04:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formWebAuthGlobalConfig. Performing a manipulation results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		UTT 进取 520W formWebAuthGlobalConfig strcpy buffer overflow
Weaknesses		CWE-119 CWE-120
References		https://github.com/cymiao1978/cve/blob/main/new/32.md https://vuldb.com/?ctiid.341728 https://vuldb.com/?id.341728 https://vuldb.com/?submit.735296
Metrics		cvssV2_0 `{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Utt 520w 520w Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-19T04:02:08.232Z

Updated: 2026-02-23T08:41:52.699Z

Reserved: 2026-01-18T07:29:47.192Z

Link: CVE-2026-1137

Vulnrichment

Updated: 2026-01-20T21:24:32.230Z

NVD

Status : Analyzed

Published: 2026-01-19T05:16:05.920

Modified: 2026-02-04T20:39:50.690

Link: CVE-2026-1137

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T05:30:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object