Cyber Resilience

CVE-2026-7418

High

Published: 29 April 2026

Published
29 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0056 42.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7418 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-7418 is a buffer overflow vulnerability in the UTT HiPER 1250GW router firmware versions up to 3.2.7-210907-180535. The issue resides in the strcpy function within the route/goform/NTP file, where manipulation of the Profile argument triggers the overflow. Published on 2026-04-29, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).

Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation leads to high-impact consequences, including unauthorized disclosure of sensitive information, modification of data or system configuration, and denial of service through complete loss of availability.

Advisories from VulDB (vuln/360155) and a related GitHub repository detail the vulnerability and publicly disclose a working exploit, emphasizing remote exploitability. No specific patches or vendor mitigations are referenced in the available sources; practitioners should isolate affected devices, monitor for exploitation attempts targeting the NTP form endpoint, and pursue firmware updates from UTT if available.

The exploit's public disclosure heightens the risk of real-world attacks against exposed UTT HiPER 1250GW instances.

EU & UK References

Vulnerability details

A vulnerability was determined in UTT HiPER 1250GW up to 3.2.7-210907-180535. This vulnerability affects the function strcpy of the file route/goform/NTP. Executing a manipulation of the argument Profile can lead to buffer overflow. The attack may be launched remotely. The…

more

exploit has been publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in router web interface (/goform/NTP) enables remote exploitation of public-facing application by authenticated users.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6630Shared CWE-119, CWE-120
CVE-2026-7055Shared CWE-119, CWE-120
CVE-2026-1162Shared CWE-119, CWE-120
CVE-2025-12232Shared CWE-119, CWE-120
CVE-2025-15459Shared CWE-119, CWE-120
CVE-2025-7463Shared CWE-119, CWE-120
CVE-2026-2202Shared CWE-119, CWE-120
CVE-2026-5980Shared CWE-119, CWE-120
CVE-2026-7857Shared CWE-119, CWE-120
CVE-2026-7057Shared CWE-119, CWE-120

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the buffer overflow in the strcpy function of the NTP form, directly eliminating the vulnerability.

prevent

Information input validation enforces checks on the Profile argument to prevent oversized or malformed inputs from triggering the buffer overflow.

prevent

Memory protection mechanisms like address space randomization and non-executable stacks mitigate exploitation of the buffer overflow even if input validation fails.

References