CVE-2026-2135
Remote Command Injection in UTT HiPER 810 via formPdbUpConfig
Publication date: 2026-02-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| utt | 810_firmware | 1.7.4-141218 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2135 is a command injection vulnerability found in the UTT HiPER 810 router, version 1.7.4-141218. The flaw exists in the function sub_43F020 within the file /goform/formPdbUpConfig, where the argument "policyNames" is improperly handled. This argument is used directly in system command construction without sanitization, allowing an authenticated attacker to inject shell metacharacters and execute arbitrary commands with root privileges remotely.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because user-supplied input is passed to system wrapper functions like sprintf and doSystem without neutralizing special characters, enabling attackers to run unauthorized commands on the device.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely execute arbitrary commands on the affected device with root privileges. This can lead to unauthorized control over the device, compromising its confidentiality, integrity, and availability.
- Attackers can manipulate system files or configurations.
- They can disrupt device operations or cause denial of service.
- Sensitive information stored on the device may be exposed or altered.
- The device could be used as a foothold for further attacks within a network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for requests to the vulnerable endpoint /goform/formPdbUpConfigsub_43F020 that include manipulation of the policyNames parameter. Since the exploit involves command injection via this parameter, suspicious or unexpected commands executed on the device may indicate exploitation.'}, {'type': 'paragraph', 'content': 'To detect attempts, you can check web server logs or network traffic for HTTP requests targeting the /goform/formPdbUpConfigsub_43F020 endpoint with unusual or shell metacharacters in the policyNames parameter.'}, {'type': 'paragraph', 'content': 'Example commands to detect exploitation attempts might include searching logs for the vulnerable endpoint and suspicious parameters:'}, {'type': 'list_item', 'content': 'grep "/goform/formPdbUpConfigsub_43F020" /var/log/httpd/access_log'}, {'type': 'list_item', 'content': 'grep -E "policyNames=.*[;&|`$()]" /var/log/httpd/access_log'}, {'type': 'paragraph', 'content': 'Additionally, monitoring running processes or command history for unexpected commands like tftp downloads or shell commands executed from the web interface may help detect exploitation.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
No known mitigations or countermeasures have been identified for this vulnerability.
The recommended immediate step is to replace the affected product (UTT HiPER 810 version 1.7.4-141218) with an alternative device or firmware that is not vulnerable.
In the meantime, restricting access to the vulnerable web management interface, applying network-level controls to block unauthorized access, and monitoring for exploitation attempts are advisable.