CVE-2026-2846
Published: 20 February 2026
Summary
CVE-2026-2846 is a high-severity Command Injection (CWE-77) vulnerability in Utt 520 Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-2846 is an OS command injection vulnerability affecting UTT HiPER 520 version 1.7.7-160105. The issue resides in the function sub_44D264 within the file /goform/formPdbUpConfig of the Web Management Interface, where manipulation of the policyNames argument enables command injection. It is classified under CWE-77 and CWE-78, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2026-02-20.
An attacker with high privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary OS command execution on the affected device.
Advisories from VulDB (ctiid.347082, id.347082, submit.753964) and a GitHub repository (cha0yang1/UTT520CVE/blob/main/UTTRCE1.md) provide further details, including a publicly disclosed exploit that may be used in attacks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7617
Vulnerability details
A security vulnerability has been detected in UTT HiPER 520 1.7.7-160105. This impacts the function sub_44D264 of the file /goform/formPdbUpConfig of the component Web Management Interface. The manipulation of the argument policyNames leads to os command injection. The attack can…
more
be initiated remotely. The exploit has been disclosed publicly and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in the web management interface (formPdbUpConfig) directly enables remote exploitation of a public-facing application (T1190) for arbitrary command execution via Unix shell (T1059.004) on the embedded device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the policyNames argument in /goform/formPdbUpConfig to block OS command injection.
Limits the high-privilege accounts that can reach sub_44D264, reducing the population able to trigger the injection.
Enforces access-control decisions on the Web Management Interface so only authorized sessions can invoke formPdbUpConfig.