Description
A vulnerability was determined in UTT 进取 521G 3.1.1-190816. The impacted element is the function sub_446B18 of the file /goform/formPdbUpConfig. Executing a manipulation of the argument policyNames can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-02-08
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote OS Command Execution
Action: Immediate Patch
AI Analysis

Impact

A function exposed through the device web interface allows manipulation of the policyNames argument, resulting in OS command injection classified as CWE‑77 and CWE‑78. Successful exploitation would give an attacker full control over the UTT 进取 521G router, compromising confidentiality, integrity, and availability of its hosted services.

Affected Systems

The flaw exists in UTT 进取 521G firmware version 3.1.1‑190816. Devices running this firmware, especially those exposed to the Internet, are affected according to the CVE data.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, while the EPSS score of less than 1% suggests low current exploitation probability but the CVE is publicly disclosed. The vulnerability is not listed in the CISA KEV catalog. Remote attackers can trigger the flaw by sending a crafted request to /goform/formPdbUpConfig, indicating a network‑based attack vector.

Generated by OpenCVE AI on April 17, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device firmware to a version that eliminates the command injection vulnerability.
  • If an upgrade cannot be performed immediately, block or restrict remote access to the /goform/formPdbUpConfig endpoint using firewall rules or network segmentation.
  • Implement input validation on the policyNames parameter to prevent the injection of arbitrary OS commands.

Generated by OpenCVE AI on April 17, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Utt 521g Firmware
CPEs cpe:2.3:h:utt:521g:2.0:*:*:*:*:*:*:*
cpe:2.3:o:utt:521g_firmware:3.1.1-190816:*:*:*:*:*:*:*
Vendors & Products Utt 521g Firmware

Mon, 09 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Utt
Utt 521g
Vendors & Products Utt
Utt 521g

Sun, 08 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in UTT 进取 521G 3.1.1-190816. The impacted element is the function sub_446B18 of the file /goform/formPdbUpConfig. Executing a manipulation of the argument policyNames can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
Title UTT 进取 521G formPdbUpConfig sub_446B18 os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 8.3, 'vector': 'AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Utt 521g 521g Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:50:07.937Z

Reserved: 2026-02-07T17:18:03.705Z

Link: CVE-2026-2188

cve-icon Vulnrichment

Updated: 2026-02-09T20:55:29.899Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-08T22:15:50.973

Modified: 2026-02-10T14:57:33.183

Link: CVE-2026-2188

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:45:28Z

Weaknesses