CVE-2025-15461
Published: 05 January 2026
Summary
CVE-2025-15461 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Utt 520W Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents the buffer overflow by validating the selDateType input argument for proper length and format before processing with strcpy in /goform/formTaskEdit.
Implements memory protections like stack canaries, ASLR, and DEP to block exploitation of the buffer overflow vulnerability even if invalid input reaches strcpy.
Requires timely flaw remediation processes, such as applying patches or isolating/replacing the vulnerable UTT router firmware when no vendor fix is available.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public web form (/goform) directly enables remote exploitation of a network device (T1190) by low-priv authenticated users, resulting in arbitrary code execution and full system compromise (T1068).
NVD Description
A flaw has been found in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/formTaskEdit. Executing a manipulation of the argument selDateType can lead to buffer overflow. The attack can be executed remotely. The exploit…
more
has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-15461 is a buffer overflow vulnerability affecting the UTT 进取 520W router firmware version 1.7.7-180627. The flaw exists in the strcpy function within the /goform/formTaskEdit file, where manipulation of the selDateType argument triggers the overflow. Published on 2026-01-05, it carries a CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).
The vulnerability enables remote exploitation by an authenticated attacker with low privileges (PR:L) who has network access. No user interaction is required, and the attack complexity is low. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or system compromise via the buffer overflow.
Advisories from VulDB and related disclosures indicate that the vendor was contacted early about the issue but provided no response or patches. An exploit proof-of-concept has been publicly released on GitHub, increasing the risk of active misuse. No official mitigations are available, leaving affected systems reliant on network segmentation or replacement.
Details
- CWE(s)