CVE-2026-1139

HighPublic PoC

Published: 19 January 2026

Published

19 January 2026

Modified

04 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/ConfigExceptMSN. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to…

the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

SI-2 requires timely identification, reporting, and correction of system flaws like this buffer overflow vulnerability, including testing and incorporation into risk mitigation.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of information inputs to the vulnerable /goform/ConfigExceptMSN function, directly preventing buffer overflow triggers from improper input handling.

SI-16 Memory Protection good match

prevent

SI-16 implements memory protections such as address space layout randomization or stack canaries to block unauthorized code execution from buffer overflow exploitation.

Security SummaryAI

CVE-2026-1139 is a buffer overflow vulnerability in the UTT 进取 520W router running firmware version 1.7.7-180627. The issue resides in the strcpy function within the /goform/ConfigExceptMSN file, where improper input handling allows attackers to trigger a buffer overflow. This flaw was published on January 19, 2026, and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), mapping to CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).

Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables high-impact confidentiality, integrity, and availability violations, potentially leading to arbitrary code execution, data theft, or full device compromise. An exploit has been publicly disclosed and may be actively used, as the vendor was notified early but provided no response.

Advisories from VulDB (ctiid.341730, id.341730, submit.735299) and a GitHub repository (cymiao1978/cve/blob/main/new/34.md) document the vulnerability, confirm remote exploitability, and note the lack of vendor patches or mitigations. No official fixes are available, leaving affected devices exposed.

Details

CWE(s): CWE-119 CWE-120

Affected Products

utt

520w firmware

≤ 1.7.7-180627

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Buffer overflow in router web interface (/goform/) allows remote low-priv exploitation for RCE, directly mapping to exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/cymiao1978/cve/blob/main/new/34.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.341730
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.341730
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.735299
Third Party Advisory, VDB Entry · cna@vuldb.com