Description
A vulnerability was detected in UTT HiPER 810 1.7.4-141218. The impacted element is the function sub_43F020 of the file /goform/formPdbUpConfig. Performing a manipulation of the argument policyNames results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Published: 2026-02-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Patch
AI Analysis

Impact

The flaw is in the HiPER 810 firmware’s /goform/formPdbUpConfig handler, where the policyNames argument is passed directly to a shell command. An attacker can supply crafted data that injects arbitrary commands, giving the attacker execution privileges on the device. The vulnerability is flagged as CWE‑74 and CWE‑77, indicating unsanitized command execution and insufficient input validation.

Affected Systems

Only the UTT HiPER 810 device running firmware 1.7.4‑141218 is listed as affected; no other versions are mentioned, so the impact is confined to that specific build.

Risk and Exploitability

The CVSS score of 5.3 denotes moderate severity, while the EPSS score of less than 1 % reflects a low probability of exploitation today. The vulnerability is not in the CISA KEV catalog, yet a public exploit exists, and the description states the attack can be launched remotely without prior authentication. Consequently, an attacker with network reach to the device could execute arbitrary commands quickly and without complex prerequisites.

Generated by OpenCVE AI on April 18, 2026 at 13:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HiPER 810 firmware to a version that fixes the command injection in sub_43F020.
  • Block or rate‑limit external access to the /goform/formPdbUpConfig endpoint using firewall rules or network segmentation.
  • If a patch is unavailable, enforce input validation or sanitization on the policyNames parameter or deploy a web application firewall to filter malicious payloads.

Generated by OpenCVE AI on April 18, 2026 at 13:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Utt 810
Utt 810 Firmware
CPEs cpe:2.3:h:utt:810:4.0:*:*:*:*:*:*:*
cpe:2.3:o:utt:810_firmware:1.7.4-141218:*:*:*:*:*:*:*
Vendors & Products Utt 810
Utt 810 Firmware

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Utt
Utt hiper 810
Vendors & Products Utt
Utt hiper 810

Sun, 08 Feb 2026 04:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in UTT HiPER 810 1.7.4-141218. The impacted element is the function sub_43F020 of the file /goform/formPdbUpConfig. Performing a manipulation of the argument policyNames results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Title UTT HiPER 810 formPdbUpConfig sub_43F020 command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Utt 810 810 Firmware Hiper 810
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:38:04.956Z

Reserved: 2026-02-06T20:58:31.108Z

Link: CVE-2026-2135

cve-icon Vulnrichment

Updated: 2026-02-10T19:49:47.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-08T05:16:07.673

Modified: 2026-02-13T18:40:09.040

Link: CVE-2026-2135

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses