CVE-2026-7419
Published: 29 April 2026
Summary
CVE-2026-7419 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-7419 is a buffer overflow vulnerability affecting the UTT HiPER 1250GW router in versions up to 3.2.7-210907-180535. The flaw exists in the strcpy function within the file route/goform/formTaskEdit_ap, where manipulation of the Profile argument triggers the overflow. It is classified under CWE-119 and CWE-120, with remote exploitation possible and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Low-privileged remote attackers (PR:L) can exploit this vulnerability over the network with low attack complexity and no user interaction. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data (C:H), modification of system resources (I:H), and denial of service or code execution (A:H).
Advisories provide further details on VulDB at https://vuldb.com/vuln/360156 and https://vuldb.com/vuln/360156/cti, with a public exploit available on GitHub at https://github.com/kirlic123/IOTvulner/blob/main/4035/2/2.md. The references indicate the exploit might be used but do not specify patches or mitigations.
The publicly available exploit highlights notable risk for real-world exploitation against unpatched UTT HiPER 1250GW devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26297
Vulnerability details
A vulnerability was identified in UTT HiPER 1250GW up to 3.2.7-210907-180535. This issue affects the function strcpy of the file route/goform/formTaskEdit_ap. The manipulation of the argument Profile leads to buffer overflow. Remote exploitation of the attack is possible. The exploit…
more
is publicly available and might be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing web form (remote, low-priv auth, high impact including RCE) directly enables exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of the buffer overflow flaw in CVE-2026-7419 via patching unpatched UTT HiPER 1250GW routers.
Mandates validation of the Profile argument in the formTaskEdit_ap function to block malicious inputs that trigger the strcpy buffer overflow.
Implements memory protections such as stack canaries, ASLR, and DEP to prevent exploitation of the buffer overflow even if invalid input reaches strcpy.