CVE-2026-11516 - Vulnerability Details

- UTT HiPER 2610G formNatStaticMap strcpy buffer overflow

Description

A vulnerability was found in UTT HiPER 2610G up to 3.0.0-171107. This affects the function strcpy of the file /goform/formNatStaticMap. Performing a manipulation of the argument NatBinds results in buffer overflow. The exploit has been made public and could be used.

Published: 2026-06-08

Score: 5.1 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A buffer overflow occurs in the strcpy call within the UTT HiPER 2610G firmware's /goform/formNatStaticMap handler. By manipulating the NatBinds argument, an attacker can overwrite adjacent memory, potentially corrupting program control data. The flaw falls under CWE-119 and CWE-120. While the CVE notes that the exploit is publicly available, the description does not state a definitive outcome; however, typical buffer overflows of this nature can lead to arbitrary code execution or privilege escalation.

Affected Systems

The vulnerability is present in UTT HiPER 2610G routers running firmware versions up to and including 3.0.0-171107. Devices with these firmware releases are susceptible; versions newer than 3.0.0-171107 are presumed immune unless further information emerges.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate risk, and the lack of an EPSS rating means current exploit prevalence is unknown. The vulnerability is not listed in the CISA KEV catalog, reducing evidence of a widespread active campaign. The likely attack vector is remote HTTP access to /goform/formNatStaticMap, potentially requiring authentication or being open to unauthenticated users on externally reachable devices. An attacker could exploit this flaw from any remote location where the device is reachable, making it a relevant threat for externally facing network equipment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

UTT

HiPER 2610G

affected

Version	Status	Constraints
`3.0.0-171107`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the device firmware to a version newer than 3.0.0‑171107 once an official patch is available.
If a firmware update is not immediately possible, restrict network access to the /goform/formNatStaticMap endpoint by firewall or VLAN filtering so that only authorized management traffic can reach it.
As a temporary workaround, block or disable the NatBinds parameter or the entire formNatStaticMap functionality through device configuration or by applying a custom firewall rule, and monitor logs for suspicious NatBinds activity.

Generated by OpenCVE AI on June 8, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/HungryGoogle/log_attack/blob/main/index1/1.md
https://github.com/HungryGoogle/log_attack/tree/main/index1
https://vuldb.com/cve/CVE-2026-11516
https://vuldb.com/submit/836275
https://vuldb.com/vuln/369136
https://vuldb.com/vuln/369136/cti

History

Mon, 08 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
References		https://github.com/HungryGoogle/log_attack/blob/main/index1/1.md
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 08 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in UTT HiPER 2610G up to 3.0.0-171107. This affects the function strcpy of the file /goform/formNatStaticMap. Performing a manipulation of the argument NatBinds results in buffer overflow. The exploit has been made public and could be used.
Title		UTT HiPER 2610G formNatStaticMap strcpy buffer overflow
First Time appeared		Utt Utt hiper 2610g
Weaknesses		CWE-119 CWE-120
CPEs		cpe:2.3:a:utt:hiper_2610g::::::::
Vendors & Products		Utt Utt hiper 2610g
References		https://github.com/HungryGoogle/log_attack/tree/main/index1 https://vuldb.com/cve/CVE-2026-11516 https://vuldb.com/submit/836275 https://vuldb.com/vuln/369136 https://vuldb.com/vuln/369136/cti
Metrics		cvssV2_0 `{'score': 5.2, 'vector': 'AV:A/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.5, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Utt Hiper 2610g

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-08T13:00:17.152Z

Updated: 2026-06-08T15:35:53.813Z

Reserved: 2026-06-07T15:57:23.448Z

Link: CVE-2026-11516

Vulnrichment

Updated: 2026-06-08T15:35:42.670Z

NVD

Status : Received

Published: 2026-06-08T15:16:43.017

Modified: 2026-06-08T16:16:36.787

Link: CVE-2026-11516

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-08T15:30:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object