CVE-2026-2135

MediumPublic PoC

Published: 08 February 2026

Published

08 February 2026

Modified

13 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0038 59.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was detected in UTT HiPER 810 1.7.4-141218. The impacted element is the function sub_43F020 of the file /goform/formPdbUpConfig. Performing a manipulation of the argument policyNames results in command injection. It is possible to initiate the attack remotely. The…

exploit is now public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly implements input validation mechanisms at the /goform/formPdbUpConfig entry point to block command injection via the policyNames argument.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of the specific command injection flaw in sub_43F020 of /goform/formPdbUpConfig.

SI-4 System Monitoring partial match

detect

Enables monitoring of system activities to identify exploitation attempts of the command injection vulnerability through anomalous behavior.

Security SummaryAI

CVE-2026-2135 is a command injection vulnerability affecting UTT HiPER 810 version 1.7.4-141218. The issue resides in the function sub_43F020 within the file /goform/formPdbUpConfig, where manipulation of the policyNames argument enables command injection. It is associated with CWEs-74 and CWE-77 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability allows remote exploitation by attackers possessing low privileges. Exploitation requires low complexity and no user interaction, enabling limited impacts on confidentiality, integrity, and availability, such as unauthorized command execution within the context of the affected component.

Advisories documented on VulDB and a GitHub repository detail the vulnerability, noting that the exploit is now public and may be used by attackers. No specific patches or mitigation steps are outlined in the available references.

Details

CWE(s): CWE-74 CWE-77

Affected Products

utt

810 firmware

1.7.4-141218

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection vulnerability in web form (/goform/formPdbUpConfig) on network-accessible device enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/cha0yang1/UTT810CVE/blob/main/CVEreadme2.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.344770
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.344770
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.747222
Third Party Advisory, VDB Entry · cna@vuldb.com