Cyber Resilience

CVE-2026-7419

High

Published: 29 April 2026

Published
29 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0054 41.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7419 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-7419 is a buffer overflow vulnerability affecting the UTT HiPER 1250GW router in versions up to 3.2.7-210907-180535. The flaw exists in the strcpy function within the file route/goform/formTaskEdit_ap, where manipulation of the Profile argument triggers the overflow. It is classified under CWE-119 and CWE-120, with remote exploitation possible and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Low-privileged remote attackers (PR:L) can exploit this vulnerability over the network with low attack complexity and no user interaction. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data (C:H), modification of system resources (I:H), and denial of service or code execution (A:H).

Advisories provide further details on VulDB at https://vuldb.com/vuln/360156 and https://vuldb.com/vuln/360156/cti, with a public exploit available on GitHub at https://github.com/kirlic123/IOTvulner/blob/main/4035/2/2.md. The references indicate the exploit might be used but do not specify patches or mitigations.

The publicly available exploit highlights notable risk for real-world exploitation against unpatched UTT HiPER 1250GW devices.

EU & UK References

Vulnerability details

A vulnerability was identified in UTT HiPER 1250GW up to 3.2.7-210907-180535. This issue affects the function strcpy of the file route/goform/formTaskEdit_ap. The manipulation of the argument Profile leads to buffer overflow. Remote exploitation of the attack is possible. The exploit…

more

is publicly available and might be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Buffer overflow in public-facing web form (remote, low-priv auth, high impact including RCE) directly enables exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2935Shared CWE-119, CWE-120
CVE-2025-15461Shared CWE-119, CWE-120
CVE-2026-7288Shared CWE-119, CWE-120
CVE-2025-9781Shared CWE-119, CWE-120
CVE-2026-3814Shared CWE-119, CWE-120
CVE-2026-7749Shared CWE-119, CWE-120
CVE-2026-2904Shared CWE-119, CWE-120
CVE-2026-4318Shared CWE-119, CWE-120
CVE-2025-15217Shared CWE-119, CWE-120
CVE-2026-3274Shared CWE-119, CWE-120

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of the buffer overflow flaw in CVE-2026-7419 via patching unpatched UTT HiPER 1250GW routers.

prevent

Mandates validation of the Profile argument in the formTaskEdit_ap function to block malicious inputs that trigger the strcpy buffer overflow.

prevent

Implements memory protections such as stack canaries, ASLR, and DEP to prevent exploitation of the buffer overflow even if invalid input reaches strcpy.

References