Cyber Resilience

CVE-2026-2188

HighPublic PoCRCE

Published: 08 February 2026

Published
08 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 32.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2188 is a high-severity Command Injection (CWE-77) vulnerability in Utt 521G Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2188 is an OS command injection vulnerability in UTT 进取 521G version 3.1.1-190816. The flaw affects the function sub_446B18 in the file /goform/formPdbUpConfig, where manipulation of the policyNames argument triggers the injection. It is associated with CWEs-77 and CWE-78 and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

The vulnerability enables remote exploitation by attackers possessing high privileges (PR:H). Exploitation requires low attack complexity with no user interaction, potentially granting high impacts on confidentiality, integrity, and availability, including arbitrary command execution on the device.

Advisories and related resources include a publicly disclosed exploit proof-of-concept at https://github.com/cha0yang1/UTT521G/blob/main/RCE2.md, which may be utilized for attacks. Further details are available via VulDB at https://vuldb.com/?ctiid.344891, https://vuldb.com/?id.344891, and https://vuldb.com/?submit.749733; these do not specify patches or mitigations in the provided information.

The CVE was published on 2026-02-08, and the exploit disclosure heightens real-world exploitation risk for unpatched UTT 进取 521G devices.

EU & UK References

Vulnerability details

A vulnerability was determined in UTT 进取 521G 3.1.1-190816. The impacted element is the function sub_446B18 of the file /goform/formPdbUpConfig. Executing a manipulation of the argument policyNames can lead to os command injection. It is possible to launch the attack…

more

remotely. The exploit has been publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in web form (/goform) of network device enables remote exploitation of public-facing application and Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2182Same product: Utt 521G
CVE-2026-2846Same vendor: Utt
CVE-2026-2847Same vendor: Utt
CVE-2026-31059Same vendor: Utt
CVE-2026-2135Same vendor: Utt
CVE-2026-2080Same vendor: Utt
CVE-2026-2118Same vendor: Utt
CVE-2025-13442Same vendor: Utt
CVE-2026-9454Shared CWE-77, CWE-78
CVE-2026-6116Shared CWE-77, CWE-78

Affected Assets

utt
521g firmware
3.1.1-190816

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks OS command injection by validating/sanitizing the policyNames argument before it reaches sub_446B18.

prevent

Requires timely patching of the publicly disclosed command-injection flaw in /goform/formPdbUpConfig.

prevent

Limits the high-privilege accounts (PR:H) needed to reach the vulnerable formPdbUpConfig endpoint.

References