Cyber Resilience

CVE-2025-13442

MediumPublic PoC

Published: 20 November 2025

Published
20 November 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 62.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13442 is a medium-severity Injection (CWE-74) vulnerability in Utt 750W Firmware. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

A security vulnerability has been detected in UTT 进取 750W up to version 3.2.2-191225. The issue resides in the system function of the file /goform/formPdbUpConfig, where improper handling of the policyNames argument permits command injection. The flaw is tracked under CWE-74 and CWE-77, carries a CVSS 4.0 score of 5.5, and can be reached over the network.

An unauthenticated attacker can exploit the vulnerability remotely by supplying a crafted policyNames value to the affected endpoint, resulting in arbitrary command execution on the device. Public exploit code has been released, and the vendor was notified prior to disclosure but provided no response.

The associated EPSS score rose from a low baseline to a peak of 0.0214 on 2025-12-11 before receding to its current value of 0.0042, indicating a period of increased exploitation interest following public disclosure. No official patches or mitigation guidance have been issued.

EU & UK References

Vulnerability details

A security vulnerability has been detected in UTT 进取 750W up to 3.2.2-191225. Affected by this vulnerability is the function system of the file /goform/formPdbUpConfig. Such manipulation of the argument policyNames leads to command injection. The attack may be launched…

more

remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated remote command injection via web endpoint on network device directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-10172Same product: Utt 750W
CVE-2026-2135Same vendor: Utt
CVE-2026-2080Same vendor: Utt
CVE-2026-2118Same vendor: Utt
CVE-2026-2182Same vendor: Utt
CVE-2026-31059Same vendor: Utt
CVE-2026-2846Same vendor: Utt
CVE-2026-2847Same vendor: Utt
CVE-2026-2188Same vendor: Utt
CVE-2026-2194Shared CWE-74, CWE-77

Affected Assets

utt
750w firmware
≤ 3.2.2-191225

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by requiring validation of the policyNames argument in the /goform/formPdbUpConfig endpoint against expected formats and values.

prevent

Enforces boundary protection to monitor and control remote network access to the vulnerable web endpoint, blocking unauthenticated exploitation attempts.

prevent

Addresses the root flaw through timely remediation, such as firmware patching or replacement, despite vendor non-response.

References