Cyber Resilience

CVE-2026-2846

HighPublic PoCRCE

Published: 20 February 2026

Published
20 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0016 36.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2846 is a high-severity Command Injection (CWE-77) vulnerability in Utt 520 Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2846 is an OS command injection vulnerability affecting UTT HiPER 520 version 1.7.7-160105. The issue resides in the function sub_44D264 within the file /goform/formPdbUpConfig of the Web Management Interface, where manipulation of the policyNames argument enables command injection. It is classified under CWE-77 and CWE-78, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2026-02-20.

An attacker with high privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary OS command execution on the affected device.

Advisories from VulDB (ctiid.347082, id.347082, submit.753964) and a GitHub repository (cha0yang1/UTT520CVE/blob/main/UTTRCE1.md) provide further details, including a publicly disclosed exploit that may be used in attacks.

EU & UK References

Vulnerability details

A security vulnerability has been detected in UTT HiPER 520 1.7.7-160105. This impacts the function sub_44D264 of the file /goform/formPdbUpConfig of the component Web Management Interface. The manipulation of the argument policyNames leads to os command injection. The attack can…

more

be initiated remotely. The exploit has been disclosed publicly and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in the web management interface (formPdbUpConfig) directly enables remote exploitation of a public-facing application (T1190) for arbitrary command execution via Unix shell (T1059.004) on the embedded device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2847Same product: Utt 520
CVE-2026-2188Same vendor: Utt
CVE-2026-31059Same vendor: Utt
CVE-2026-2135Same vendor: Utt
CVE-2026-2080Same vendor: Utt
CVE-2026-2118Same vendor: Utt
CVE-2026-2182Same vendor: Utt
CVE-2025-13442Same vendor: Utt
CVE-2026-9454Shared CWE-77, CWE-78
CVE-2026-6116Shared CWE-77, CWE-78

Affected Assets

utt
520 firmware
1.7.7-160105

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the policyNames argument in /goform/formPdbUpConfig to block OS command injection.

prevent

Limits the high-privilege accounts that can reach sub_44D264, reducing the population able to trigger the injection.

prevent

Enforces access-control decisions on the Web Management Interface so only authorized sessions can invoke formPdbUpConfig.

References