A flaw in the /goform/formReleaseConnect component of UTT Aggressive 520W firmware 1.7.7‑180627 permits an attacker to inject a specially crafted string that is executed as a system command on the device. This command injection vulnerability (CWE‑78) can lead to full compromise of the router, allowing the attacker to run arbitrary code, extract sensitive information, or disrupt network services. The impact is a loss of confidentiality, integrity, and availability for any network that relies on the affected router.

Devices running the UTT Aggressive 520W model with hardware revision 3.0 and firmware version 1.7.7‑180627 are impacted. The CPE identifiers confirm the specific router model and firmware build that contain the flaw.

The CVSS base score of 6.8 indicates a moderate to high severity. The EPSS score is below 1 %, suggesting that exploitation in the wild is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must be able to send an HTTP request to the /goform/formReleaseConnect URL; however the requirement for authentication is not stated in the data, so it remains uncertain whether credentials are needed to reach the vulnerable endpoint. Because no explicit authentication requirement is mentioned, practitioners should assume the possibility of unauthenticated access and test accordingly.