CVE-2026-2847 - Vulnerability Details

- UTT HiPER 520 Web Management formReleaseConnect sub_44EFB4 os command injection

Description

A vulnerability was detected in UTT HiPER 520 1.7.7-160105. Affected is the function sub_44EFB4 of the file /goform/formReleaseConnect of the component Web Management Interface. The manipulation of the argument Isp_Name results in os command injection. The attack can be launched remotely. The exploit is now public and may be used.

Published: 2026-02-20

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw lies in sub_44EFB4 within the Web Management Interface and allows attackers to manipulate the Isp_Name input to execute arbitrary operating‑system commands through the /goform/formReleaseConnect endpoint. This is an OS command injection flaw that can be triggered remotely, potentially compromising the device’s confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects UTT HiPER 520, specifically firmware version 1.7.7‑160105. No other versions are listed as impacted.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity. The EPSS score of less than 1% suggests that the likelihood of exploitation is low, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector is remote via the web interface, requiring network access to the device's management port. Because the exploit is publicly available, the risk persists until the device is patched or mitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

UTT

HiPER 520

affected

Version	Status	Constraints
`1.7.7-160105`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:utt:520_firmware:1.7.7-160105:*:*:*:*:*:*:*

cpe:2.3:h:utt:520:3.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Utt

Hiper 520

100%

Version	Status	Scheme	Platform
`1.7.7-160105`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the UTT HiPER 520 device to a firmware version that contains the vendor's fix for the command‑execution issue.
Enforce strict input validation on the Isp_Name field, rejecting or escaping all non‑alphanumeric characters to eliminate the possibility of command injection per CWE‑77 and CWE‑78.
Restrict access to the Web Management Interface by limiting allowed IP ranges or placing the device behind a properly configured firewall.

Generated by OpenCVE AI on April 18, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00748.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/cha0yang1/UTT520CVE/blob/main/UTTRCE2.md
https://vuldb.com/?ctiid.347083
https://vuldb.com/?id.347083
https://vuldb.com/?submit.753965

History

Tue, 24 Feb 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Utt 520 Utt 520 Firmware
CPEs		cpe:2.3:h:utt:520:3.0:::::::* cpe:2.3:o:utt:520_firmware:1.7.7-160105:::::::*
Vendors & Products		Utt 520 Utt 520 Firmware

Tue, 24 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Utt Utt hiper 520
Vendors & Products		Utt Utt hiper 520

Fri, 20 Feb 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in UTT HiPER 520 1.7.7-160105. Affected is the function sub_44EFB4 of the file /goform/formReleaseConnect of the component Web Management Interface. The manipulation of the argument Isp_Name results in os command injection. The attack can be launched remotely. The exploit is now public and may be used.
Title		UTT HiPER 520 Web Management formReleaseConnect sub_44EFB4 os command injection
Weaknesses		CWE-77 CWE-78
References		https://github.com/cha0yang1/UTT520CVE/blob/main/UTTRCE2.md https://vuldb.com/?ctiid.347083 https://vuldb.com/?id.347083 https://vuldb.com/?submit.753965
Metrics		cvssV2_0 `{'score': 8.3, 'vector': 'AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Utt 520 520 Firmware Hiper 520

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-20T15:32:08.557Z

Updated: 2026-02-24T14:34:37.190Z

Reserved: 2026-02-20T07:59:51.842Z

Link: CVE-2026-2847

Vulnrichment

Updated: 2026-02-24T14:34:27.636Z

NVD

Status : Analyzed

Published: 2026-02-20T16:22:45.560

Modified: 2026-02-24T15:25:09.140

Link: CVE-2026-2847

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object