CVE-2026-31059
Published: 06 April 2026
Description
A remote command execution (RCE) vulnerability in the /goform/formDia component of UTT Aggressive HiPER 520W v3v1.7.7-180627 allows attackers to execute arbitrary commands via a crafted string.
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of all information inputs to the /goform/formDia component, directly preventing command injection via crafted strings.
Mandates identification, reporting, and correction of flaws like this command injection vulnerability in the device firmware.
Monitors and controls network communications to external interfaces, blocking or detecting unauthenticated remote access to the vulnerable /goform/formDia endpoint.
Security SummaryAI
CVE-2026-31059 is a remote command execution (RCE) vulnerability in the /goform/formDia component of UTT Aggressive HiPER 520W v3v1.7.7-180627. Published on 2026-04-06, it enables attackers to execute arbitrary commands via a crafted string and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue is classified under CWE-77 (Command Injection).
The vulnerability can be exploited over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation grants high-impact access, allowing full control over confidentiality, integrity, and availability of the affected device through arbitrary command execution.
Details on the vulnerability, including potential exploitation information, are documented in the GitHub repository at https://github.com/zxq0408/Vul202601/blob/main/9.md. No vendor advisories or patches are specified in available references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated RCE via command injection (CWE-77) in public-facing web component (/goform/formDia), directly mapping to T1190 (Exploit Public-Facing Application) and facilitating Unix Shell command execution (T1059.004) on likely Linux-based network device.