Cyber Resilience

CVE-2025-15459

HighPublic PoC

Published: 05 January 2026

Published
05 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0078 51.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-15459 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Utt 520W Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-15459 is a buffer overflow vulnerability in the UTT 进取 520W version 1.7.7-180627, specifically affecting the strcpy function within the /goform/formUser file. The issue arises from improper handling of the passwd1 argument, allowing manipulated input to trigger the overflow. It has been assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).

The vulnerability can be exploited remotely by an attacker with low privileges, requiring network access and low attack complexity but no user interaction. Successful exploitation enables high-impact confidentiality, integrity, and availability violations, potentially leading to full system compromise such as arbitrary code execution.

Advisories from VulDB and related GitHub repositories indicate no vendor response despite early notification, with no patches or mitigations released. A proof-of-concept exploit is publicly available, increasing the risk of active exploitation. Security practitioners should isolate or decommission affected devices where possible.

EU & UK References

Vulnerability details

A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formUser. Such manipulation of the argument passwd1 leads to buffer overflow. The attack may be launched remotely. The…

more

exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in remotely accessible web form (/goform/formUser) directly enables remote code execution on a public-facing network device.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1139Same product: Utt 520W
CVE-2025-15462Same product: Utt 520W
CVE-2026-2071Same product: Utt 520W
CVE-2025-15460Same product: Utt 520W
CVE-2026-0837Same product: Utt 520W
CVE-2025-14141Same product: Utt 520W
CVE-2026-2067Same product: Utt 520W
CVE-2026-0841Same product: Utt 520W
CVE-2026-0836Same product: Utt 520W
CVE-2026-0839Same product: Utt 520W

Affected Assets

utt
520w firmware
≤ 1.7.7-180627

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the passwd1 input argument to prevent buffer overflow from oversized or malformed data in the /goform/formUser endpoint.

prevent

Implements memory protections such as stack canaries, ASLR, and non-executable memory to block arbitrary code execution from the strcpy buffer overflow.

preventdetect

Establishes processes to identify, prioritize, and remediate the known buffer overflow flaw, including isolation or decommissioning unpatched devices.

References