CVE-2025-13442
Published: 20 November 2025
Summary
CVE-2025-13442 is a medium-severity Injection (CWE-74) vulnerability in Utt 750W Firmware. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
A security vulnerability has been detected in UTT 进取 750W up to version 3.2.2-191225. The issue resides in the system function of the file /goform/formPdbUpConfig, where improper handling of the policyNames argument permits command injection. The flaw is tracked under CWE-74 and CWE-77, carries a CVSS 4.0 score of 5.5, and can be reached over the network.
An unauthenticated attacker can exploit the vulnerability remotely by supplying a crafted policyNames value to the affected endpoint, resulting in arbitrary command execution on the device. Public exploit code has been released, and the vendor was notified prior to disclosure but provided no response.
The associated EPSS score rose from a low baseline to a peak of 0.0214 on 2025-12-11 before receding to its current value of 0.0042, indicating a period of increased exploitation interest following public disclosure. No official patches or mitigation guidance have been issued.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-198255
Vulnerability details
A security vulnerability has been detected in UTT 进取 750W up to 3.2.2-191225. Affected by this vulnerability is the function system of the file /goform/formPdbUpConfig. Such manipulation of the argument policyNames leads to command injection. The attack may be launched…
more
remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote command injection via web endpoint on network device directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by requiring validation of the policyNames argument in the /goform/formPdbUpConfig endpoint against expected formats and values.
Enforces boundary protection to monitor and control remote network access to the vulnerable web endpoint, blocking unauthenticated exploitation attempts.
Addresses the root flaw through timely remediation, such as firmware patching or replacement, despite vendor non-response.