CVE-2026-3015 - Vulnerability Details

- UTT HiPER 810G formPolicyRouteConf strcpy buffer overflow

Description

A vulnerability was determined in UTT HiPER 810G up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/formPolicyRouteConf. Executing a manipulation of the argument GroupName can lead to buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.

Published: 2026-02-23

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the strcpy function used by the /goform/formPolicyRouteConf handler in UTT HiPER 810G firmware versions up to 1.7.7‑171114. A specially crafted GroupName value can overflow the destination buffer, provoking memory corruption. The CVE description does not explicitly state the extent of the impact beyond the overflow, so the concrete consequences such as code execution are not confirmed in the publicly released data.

Affected Systems

This issue affects UTT HiPER 810G routers and appliances running firmware 1.7.7 or earlier.

Risk and Exploitability

The CVSS score of 8.7 classifies the flaw as high severity. EPSS indicates a very low chance of exploitation (< 1 %) at the time of this analysis, and the vulnerability has not yet appeared in the CISA KEV list. Nevertheless, remote attackers can trigger the overflow by sending a malicious request to the vulnerable endpoint, as public proof‑of‑concept code demonstrates. Because the exploit is remote and does not require local privileges, the risk can affect any subnet or network segment that can reach the device.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

UTT

HiPER 810G

affected

Version	Status	Constraints
`1.7.7-171114`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:utt:810g_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:utt:810g:3.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Utt

Hiper 810g

100%

Version	Status	Scheme	Platform
`1.7.7-171114`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest firmware update from UTT that removes the vulnerable strcpy usage.
If an update is not immediately available, block remote access to the /goform/formPolicyRouteConf endpoint using a firewall or ACL.
Implement input validation on the GroupName field to enforce length limits, preventing buffer overflows until a patch is released.

Generated by OpenCVE AI on April 18, 2026 at 17:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00106.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/xhsy0314/CVEReport/blob/main/UTT-1/README.md
https://github.com/xhsy0314/CVEReport/blob/main/UTT-1/README.md#poc
https://vuldb.com/?ctiid.347375
https://vuldb.com/?id.347375
https://vuldb.com/?submit.756248

History

Tue, 24 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Utt 810g Utt 810g Firmware
CPEs		cpe:2.3:h:utt:810g:3.0:::::::* cpe:2.3:o:utt:810g_firmware::::::::
Vendors & Products		Utt 810g Utt 810g Firmware

Tue, 24 Feb 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Utt Utt hiper 810g
Vendors & Products		Utt Utt hiper 810g

Mon, 23 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 23 Feb 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in UTT HiPER 810G up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/formPolicyRouteConf. Executing a manipulation of the argument GroupName can lead to buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Title		UTT HiPER 810G formPolicyRouteConf strcpy buffer overflow
Weaknesses		CWE-119 CWE-120
References		https://github.com/xhsy0314/CVEReport/blob/main/UTT-1/README.md https://github.com/xhsy0314/CVEReport/blob/main/UTT-1/README.md#poc https://vuldb.com/?ctiid.347375 https://vuldb.com/?id.347375 https://vuldb.com/?submit.756248
Metrics		cvssV2_0 `{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Utt 810g 810g Firmware Hiper 810g

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-23T14:32:08.483Z

Updated: 2026-02-23T18:53:43.628Z

Reserved: 2026-02-23T09:30:48.696Z

Link: CVE-2026-3015

Vulnrichment

Updated: 2026-02-23T18:53:31.836Z

NVD

Status : Analyzed

Published: 2026-02-23T16:29:37.950

Modified: 2026-02-24T20:02:06.640

Link: CVE-2026-3015

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object