CVE-2026-9628
Stack-Based Buffer Overflow in UTT HiPER 1200GW Web Interface
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| utt | hiper_1200gw | to 2.5.3-170306 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9628 is a buffer overflow vulnerability in the UTT HiPER 1200GW router firmware up to version 2.5.3-170306. It occurs in the Web Management Interface, specifically in the /goform/formPptpClientConfig endpoint. An attacker can send specially crafted requests manipulating arguments like PPTP server address, username, password, or tunnel name, causing a stack-based buffer overflow.
This overflow allows the attacker to overwrite memory, potentially leading to system instability, denial of service, or execution of arbitrary code. The vulnerability can be exploited remotely without user interaction.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to serious impacts including denial of service by crashing the device or executing arbitrary code remotely. This means an attacker could take control of the affected router, disrupt network connectivity, or compromise the device's security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for specially crafted POST requests targeting the /goform/formPptpClientConfig or /goform/formUser endpoints on the UTT HiPER 1200GW router. Specifically, requests containing unusually long or malformed inputs in parameters such as 'EncryptionMode' may indicate exploitation attempts.
A practical detection method is to capture and analyze network traffic for POST requests to these endpoints with suspiciously long parameter values that could trigger the buffer overflow.
Example commands to detect such attempts might include using tools like tcpdump or tshark to filter HTTP POST requests to the vulnerable endpoints:
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/formPptpClientConfig'
- tshark -Y 'http.request.method == "POST" and http.request.uri contains "/goform/formUser"' -T fields -e http.file_data
Inspect the captured data for abnormally long strings in parameters like 'EncryptionMode' which may indicate an exploit attempt.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Web Management Interface of the UTT HiPER 1200GW router to trusted networks only, such as via firewall rules or network segmentation.
Additionally, monitor and block suspicious POST requests to the /goform/formPptpClientConfig and /goform/formUser endpoints that contain unusually long or malformed parameters.
If possible, update the router firmware to a version later than 2.5.3-170306 where the vulnerability is fixed.
Until a patch is available, disabling the PPTP client configuration feature or the Web Management Interface temporarily can reduce exposure.