CVE-2026-2188
Published: 08 February 2026
Summary
CVE-2026-2188 is a high-severity Command Injection (CWE-77) vulnerability in Utt 521G Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2188 is an OS command injection vulnerability in UTT 进取 521G version 3.1.1-190816. The flaw affects the function sub_446B18 in the file /goform/formPdbUpConfig, where manipulation of the policyNames argument triggers the injection. It is associated with CWEs-77 and CWE-78 and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by attackers possessing high privileges (PR:H). Exploitation requires low attack complexity with no user interaction, potentially granting high impacts on confidentiality, integrity, and availability, including arbitrary command execution on the device.
Advisories and related resources include a publicly disclosed exploit proof-of-concept at https://github.com/cha0yang1/UTT521G/blob/main/RCE2.md, which may be utilized for attacks. Further details are available via VulDB at https://vuldb.com/?ctiid.344891, https://vuldb.com/?id.344891, and https://vuldb.com/?submit.749733; these do not specify patches or mitigations in the provided information.
The CVE was published on 2026-02-08, and the exploit disclosure heightens real-world exploitation risk for unpatched UTT 进取 521G devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5762
Vulnerability details
A vulnerability was determined in UTT 进取 521G 3.1.1-190816. The impacted element is the function sub_446B18 of the file /goform/formPdbUpConfig. Executing a manipulation of the argument policyNames can lead to os command injection. It is possible to launch the attack…
more
remotely. The exploit has been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in web form (/goform) of network device enables remote exploitation of public-facing application and Unix shell command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks OS command injection by validating/sanitizing the policyNames argument before it reaches sub_446B18.
Requires timely patching of the publicly disclosed command-injection flaw in /goform/formPdbUpConfig.
Limits the high-privilege accounts (PR:H) needed to reach the vulnerable formPdbUpConfig endpoint.