CVE-2026-2071 - Vulnerability Details

- UTT 进取 520W formP2PLimitConfig strcpy buffer overflow

Description

A vulnerability was found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formP2PLimitConfig. Performing a manipulation of the argument except results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-02-07

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from an unchecked strcpy operation in the formP2PLimitConfig handler, allowing an attacker to overflow a target buffer when supplying a specially crafted argument. This overflow can corrupt memory, potentially affecting confidentiality, integrity, and availability. Based on typical outcomes of buffer overflows, the resulting memory corruption could enable arbitrary code execution or lead to denial of service, but the provided description does not explicitly confirm these outcomes.

Affected Systems

The affected product is UTT 520W router running firmware version 1.7.7-180627. Devices identified by the CNA as UTT:进取 520W with this firmware are susceptible. No other versions or builds are listed in the current data.

Risk and Exploitability

The CVSS score of 8.7 classifies the issue as high severity, while the EPSS score indicates a very low current exploitation probability (<1%). The vulnerability is not listed in the CISA KEV catalog. However, a public exploit exists and the attack can be carried out remotely via a web request to /goform/formP2PLimitConfig, so the likelihood of attempted exploitation remains a concern for exposed devices.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

UTT

进取 520W

affected

Version	Status	Constraints
`1.7.7-180627`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:utt:520w_firmware:1.7.7-180627:*:*:*:*:*:*:*

cpe:2.3:h:utt:520w:3.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Utt	520w	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the vendor’s website for firmware updates that address the strcpy buffer overflow.
If an update is available, apply it to the device.
If no update is available, restrict or block remote access to the /goform/formP2PLimitConfig endpoint using firewall or ACL rules to prevent malicious inputs.
Monitor inbound traffic for anomalous requests to the vulnerable endpoint and enforce strict input validation.

Generated by OpenCVE AI on April 18, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00106.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/cymiao1978/cve/blob/main/new/40.md
https://vuldb.com/?ctiid.344638
https://vuldb.com/?id.344638
https://vuldb.com/?submit.745265

History

Fri, 13 Feb 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Utt 520w Firmware
CPEs		cpe:2.3:h:utt:520w:3.0:::::::* cpe:2.3:o:utt:520w_firmware:1.7.7-180627:::::::*
Vendors & Products		Utt 520w Firmware

Tue, 10 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Utt Utt 520w
Vendors & Products		Utt Utt 520w

Sat, 07 Feb 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formP2PLimitConfig. Performing a manipulation of the argument except results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		UTT 进取 520W formP2PLimitConfig strcpy buffer overflow
Weaknesses		CWE-119 CWE-120
References		https://github.com/cymiao1978/cve/blob/main/new/40.md https://vuldb.com/?ctiid.344638 https://vuldb.com/?id.344638 https://vuldb.com/?submit.745265
Metrics		cvssV2_0 `{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Utt 520w 520w Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-07T00:32:06.561Z

Updated: 2026-02-23T09:29:00.399Z

Reserved: 2026-02-06T07:41:27.166Z

Link: CVE-2026-2071

Vulnrichment

Updated: 2026-02-10T15:22:23.717Z

NVD

Status : Analyzed

Published: 2026-02-07T01:15:54.470

Modified: 2026-02-13T18:55:05.520

Link: CVE-2026-2071

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object