CVE-2026-2846
Awaiting Analysis Awaiting Analysis - Queue
OS Command Injection in UTT HiPER 520 Web Interface

Publication date: 2026-02-20

Last updated on: 2026-02-24

Assigner: VulDB

Description
A security vulnerability has been detected in UTT HiPER 520 1.7.7-160105. This impacts the function sub_44D264 of the file /goform/formPdbUpConfig of the component Web Management Interface. The manipulation of the argument policyNames leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2846
EUVD
EUVD-2026-7617
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
utt 520_firmware 1.7.7-160105
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2846 is a critical OS command injection vulnerability found in the UTT HiPER 520 router running firmware version 1.7.7-160105. It affects the Web Management Interface component, specifically the function sub_44D264 in the file /goform/formPdbUpConfig.

The vulnerability arises because the system does not properly sanitize the user-supplied input in the POST parameter named policyNames. This improper handling allows an attacker to inject and execute arbitrary operating system commands remotely by sending a crafted HTTP POST request containing shell metacharacters.

Exploitation requires authentication but can lead to unauthorized command execution with root privileges, resulting in full system compromise.

Impact Analysis

Successful exploitation of this vulnerability can lead to full system compromise of the affected router.

  • Attackers can execute arbitrary commands with root privileges.
  • They may intercept network traffic.
  • They can modify router configurations.
  • Attackers may maintain persistent unauthorized access to the network.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the /goform/formPdbUpConfig endpoint containing the parameter policyNames with shell metacharacters such as semicolons (;). An example of such a malicious payload is policyNames=AnyValue;whoami, which attempts to inject and execute arbitrary OS commands.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your network or system, you can use network monitoring tools or intrusion detection systems to look for HTTP POST requests with suspicious policyNames parameters.'}, {'type': 'list_item', 'content': 'Use tools like tcpdump or Wireshark to capture HTTP POST traffic to /goform/formPdbUpConfig and filter for policyNames parameters containing shell metacharacters.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture relevant HTTP POST requests: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'policyNames=.*;'"}, {'type': 'list_item', 'content': 'Check web server logs for POST requests to /goform/formPdbUpConfig with suspicious policyNames values containing shell metacharacters.'}] [1, 3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable web management interface to trusted and authenticated users only, as exploitation requires authentication.

Since no known mitigations or patches are reported, it is recommended to replace the affected UTT HiPER 520 device or firmware version 1.7.7-160105 with a secure alternative.

Additionally, monitor network traffic for exploitation attempts and consider implementing network-level controls such as firewall rules to block unauthorized access to the management interface.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2846. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart