Cyber Resilience

CVE-2026-4487

High

Published: 20 March 2026

Published
20 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0051 39.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4487 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4487 is a buffer overflow vulnerability in UTT HiPER 1200GW routers up to version 2.5.3-170306. The flaw affects the strcpy function in the file /goform/websHostFilter, stemming from CWE-119 and CWE-120. It was published on 2026-03-20 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially leading to full system control. The exploit has been publicly disclosed and may be utilized.

Advisories and additional details are available in referenced sources, including VulDB entries (https://vuldb.com/?ctiid.352010, https://vuldb.com/?id.352010, https://vuldb.com/?submit.773538) and a GitHub repository (https://github.com/hmKunlun/UTTHiPER/blob/main/HiPER%201200GW.md).

The public disclosure of the exploit increases the risk of real-world attacks against affected devices.

EU & UK References

Vulnerability details

A vulnerability was determined in UTT HiPER 1200GW up to 2.5.3-170306. This impacts the function strcpy of the file /goform/websHostFilter. This manipulation causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and…

more

may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Buffer overflow in public web form (/goform/websHostFilter) enables remote exploitation of internet-facing router application (T1190) for RCE and privilege escalation from low-priv access to full system control (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2935Shared CWE-119, CWE-120
CVE-2025-15461Shared CWE-119, CWE-120
CVE-2026-7288Shared CWE-119, CWE-120
CVE-2025-9781Shared CWE-119, CWE-120
CVE-2026-3814Shared CWE-119, CWE-120
CVE-2026-7749Shared CWE-119, CWE-120
CVE-2026-2904Shared CWE-119, CWE-120
CVE-2026-4318Shared CWE-119, CWE-120
CVE-2025-15217Shared CWE-119, CWE-120
CVE-2026-3274Shared CWE-119, CWE-120

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the buffer overflow vulnerability in the strcpy function of /goform/websHostFilter by requiring timely installation of firmware patches for affected UTT HiPER 1200GW routers.

prevent

Implements memory protections such as address space layout randomization, stack canaries, and non-executable data regions to block exploitation of the buffer overflow even in unpatched systems.

prevent

Requires validation of inputs to the /goform/websHostFilter endpoint to reject oversized or malformed data that could trigger the strcpy buffer overflow.

References