CVE-2025-13442

HighPublic PoC

Published: 20 November 2025

Published

20 November 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0042 62.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in UTT 进取 750W up to 3.2.2-191225. Affected by this vulnerability is the function system of the file /goform/formPdbUpConfig. Such manipulation of the argument policyNames leads to command injection. The attack may be launched…

remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation of the policyNames argument in the /goform/formPdbUpConfig endpoint against expected formats and values.

SC-7 Boundary Protection good match

prevent

Enforces boundary protection to monitor and control remote network access to the vulnerable web endpoint, blocking unauthenticated exploitation attempts.

SI-2 Flaw Remediation partial match

prevent

Addresses the root flaw through timely remediation, such as firmware patching or replacement, despite vendor non-response.

Security SummaryAI

CVE-2025-13442 is a command injection vulnerability affecting the UTT 进取 750W device running firmware versions up to 3.2.2-191225. The issue resides in the system function handling the /goform/formPdbUpConfig endpoint, where manipulation of the policyNames argument enables arbitrary command execution. Classified under CWE-74 and CWE-77, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its remote network accessibility and low complexity.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted requests to the affected endpoint, injecting malicious commands via the policyNames parameter. Successful exploitation allows limited impacts, including low-level confidentiality breaches (such as reading sensitive data), integrity modifications, and availability disruptions on the targeted device.

Advisories from VulDB and a related GitHub issue disclose the exploit publicly, noting it may be actively used. The vendor was notified early but has not responded or issued patches, leaving affected systems without official mitigations; practitioners should isolate devices, restrict network access to the endpoint, or seek alternative firmware if available.

Details

CWE(s): CWE-74 CWE-77

Affected Products

utt

750w firmware

≤ 3.2.2-191225

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated remote command injection via web endpoint on network device directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/alc9700jmo/CVE/issues/20
Exploit, Issue Tracking, Mitigation, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.333015
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.333015
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.688782
Third Party Advisory, VDB Entry · cna@vuldb.com