CVE-2026-2071

HighPublic PoC

Published: 07 February 2026

Published

07 February 2026

Modified

13 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formP2PLimitConfig. Performing a manipulation of the argument except results in buffer overflow. The attack is possible to be carried out remotely.…

The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates the 'except' argument in /goform/formP2PLimitConfig to prevent buffer overflow from improper input handling via strcpy.

SI-16 Memory Protection good match

prevent

Implements memory safeguards like address space layout randomization and non-executable stacks to block exploitation of the buffer overflow for arbitrary code execution.

SI-2 Flaw Remediation partial match

preventdetect

Establishes a risk-based process to identify, prioritize, and remediate the buffer overflow flaw despite lack of vendor patch.

Security SummaryAI

CVE-2026-2071 is a buffer overflow vulnerability in the UTT 进取 520W firmware version 1.7.7-180627. The issue resides in the strcpy function within the /goform/formP2PLimitConfig component, triggered by manipulation of the "except" argument. This flaw, classified under CWE-119 and CWE-120, allows improper handling of input leading to a buffer overflow and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring no user interaction and low attack complexity. Successful exploitation enables high-impact confidentiality, integrity, and availability violations, potentially resulting in arbitrary code execution, data compromise, or denial of service on the affected device.

No vendor patches or official mitigations are available, as the supplier was contacted early for disclosure but provided no response. An exploit is publicly available, increasing the risk of active exploitation. References include details from VulDB (ctiid.344638, id.344638, submit.745265) and a GitHub repository at https://github.com/cymiao1978/cve/blob/main/new/40.md.

Details

CWE(s): CWE-119 CWE-120

Affected Products

utt

520w firmware

1.7.7-180627

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Buffer overflow in web management interface (/goform/) allows remote exploitation of public-facing application for RCE or DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/cymiao1978/cve/blob/main/new/40.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.344638
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.344638
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.745265
Third Party Advisory, VDB Entry · cna@vuldb.com