Description
A security vulnerability has been detected in UTT HiPER 520 1.7.7-160105. This impacts the function sub_44D264 of the file /goform/formPdbUpConfig of the component Web Management Interface. The manipulation of the argument policyNames leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-02-20
Score: 8.6 High
EPSS: 9.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote attacker can supply specially crafted input to the policyNames argument of the formPdbUpConfig interface, causing arbitrary operating system commands to be executed on the UTT HiPER 520 device. This is a command injection flaw (CWE-77, CWE-78) that allows execution of arbitrary code with the privileges of the web management process, compromising confidentiality, integrity and availability of the device and any connected networks.

Affected Systems

The vulnerability exists in the UTT HiPER 520 model running firmware 1.7.7-160105. Only this firmware revision is explicitly documented as affected. Users of earlier or newer firmware versions are not confirmed to be impacted.

Risk and Exploitability

The CVSS of 8.6 classifies this as high severity, and the EPSS score of 10% indicates a higher probability of exploitation in the wild, though an attacker could still target the device intentionally. The vulnerability is not listed in the CISA KEV catalog, but has been publicly disclosed and may be used. The likely attack vector is remote exploitation via the web interface, with the policyNames parameter acting as the injection point for a command injection (CWE-77, CWE-78) vulnerability. No prerequisite authentication is mentioned, implying the flaw may be exploitable by unauthenticated users who can reach the web management interface.

Generated by OpenCVE AI on June 18, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the UTT firmware patch that eliminates the command injection vulnerability (CWE-77, CWE-78).
  • If a patch is unavailable, limit access to the web management interface to trusted IP addresses or quarantine the device behind a firewall.
  • If sufficient time is not available to apply the firmware update, disable or block the formPdbUpConfig endpoint so that the injection vector is no longer reachable.

Generated by OpenCVE AI on June 18, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Utt 520
Utt 520 Firmware
CPEs cpe:2.3:h:utt:520:3.0:*:*:*:*:*:*:*
cpe:2.3:o:utt:520_firmware:1.7.7-160105:*:*:*:*:*:*:*
Vendors & Products Utt 520
Utt 520 Firmware

Tue, 24 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Utt
Utt hiper 520
Vendors & Products Utt
Utt hiper 520

Fri, 20 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in UTT HiPER 520 1.7.7-160105. This impacts the function sub_44D264 of the file /goform/formPdbUpConfig of the component Web Management Interface. The manipulation of the argument policyNames leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
Title UTT HiPER 520 Web Management formPdbUpConfig sub_44D264 os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 8.3, 'vector': 'AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-24T14:30:51.460Z

Reserved: 2026-02-20T07:59:46.096Z

Link: CVE-2026-2846

cve-icon Vulnrichment

Updated: 2026-02-24T14:30:46.132Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T16:22:45.360

Modified: 2026-06-17T10:31:52.317

Link: CVE-2026-2846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:45:11Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')