CVE-2025-14191
Published: 07 December 2025
Description
A vulnerability has been found in UTT 进取 512W up to 1.7.7-171114. Affected by this issue is the function strcpy of the file /goform/formP2PLimitConfig. Such manipulation of the argument except leads to buffer overflow. It is possible to launch the…
more
attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of the 'except' argument size and format before strcpy usage in /goform/formP2PLimitConfig, directly preventing the buffer overflow.
Mandates timely flaw remediation for the known buffer overflow vulnerability, including patching or workarounds despite vendor non-response.
Deploys memory protections like stack canaries, ASLR, and DEP to hinder exploitation of the buffer overflow even if input validation fails.
Security SummaryAI
CVE-2025-14191 is a buffer overflow vulnerability affecting UTT 进取 512W routers in versions up to 1.7.7-171114. The issue resides in the strcpy function within the /goform/formP2PLimitConfig file, where improper handling of the "except" argument allows overflow conditions. Classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation.
Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables arbitrary code execution, potentially granting high-impact confidentiality, integrity, and availability compromises, such as full system takeover on the affected router.
Advisories from VulDB (ctiid.334611, id.334611) and a public GitHub disclosure by DavCloudz detail the vulnerability, including a proof-of-concept (PoC) for the buffer overflow. The vendor was notified early but provided no response, and no patches or official mitigations are available as of publication on 2025-12-07.
The exploit has been publicly disclosed and may be actively used, increasing risks for unpatched UTT 进取 512W deployments.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in router's web interface (/goform/) enables remote exploitation (AV:N/PR:L) for arbitrary code execution, directly facilitating T1190 (Exploit Public-Facing Application) as initial access vector and T1068 (Exploitation for Privilege Escalation) from low to full system privileges.