CVE-2026-1137

CVE-2026-1137 is a buffer overflow vulnerability affecting the UTT 进取 520W device running firmware version 1.7.7-180627. The issue resides in the strcpy function within the /goform/formWebAuthGlobalConfig file, where improper input handling allows manipulation leading to a buffer overflow. This vulnerability, associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.

The vulnerability can be exploited remotely by an attacker who has low-privileged access (PR:L), such as a standard user account on the device, with low attack complexity and no user interaction required. Successful exploitation enables the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data compromise, or denial of service on the affected device.

Advisories from VulDB and a related GitHub repository detail the issue but note that the vendor was contacted early without any response, and no patches or mitigations are available. The exploit is publicly available, increasing the risk of active exploitation.

Notable context includes the public availability of the exploit code, which may facilitate widespread attacks against unpatched UTT 进取 520W devices. No evidence of real-world exploitation in the wild is specified, and the vulnerability has no apparent relevance to AI/ML components.