PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9631 UTT CVE debrief

A stack-based buffer overflow vulnerability exists in UTT HiPER 1250GW devices running firmware up to version 3.2.7-210907-180535. The vulnerability resides in the `strcpy` function within the `/goform/formConfigFastDirectionW` endpoint of the web management interface. An attacker can exploit this by manipulating the `Profile` argument, leading to remote code execution. The CVSS 4.0 score of 7.4 (HIGH) reflects network attack vector, low attack complexity, and high impacts to confidentiality, integrity, and availability. The exploit has been publicly disclosed, increasing immediate risk. Vendor attribution remains uncertain—Vuldb is identified as a candidate source domain with low confidence, requiring review. No CISA KEV listing exists. Organizations should restrict access to device management interfaces and monitor for firmware updates from UTT.

Vendor
UTT
Product
HiPER 1250GW
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Network administrators managing UTT HiPER 1250GW deployments; security teams responsible for edge network infrastructure; organizations using UTT networking equipment for branch office or SMB routing

Technical summary

The UTT HiPER 1250GW router firmware through 3.2.7-210907-180535 contains a stack-based buffer overflow in the `strcpy` implementation of the `/goform/formConfigFastDirectionW` CGI endpoint. The `Profile` parameter lacks proper bounds validation, allowing remote attackers with low privileges to overflow the stack buffer. Successful exploitation yields high impact across confidentiality, integrity, and availability dimensions per CVSS 4.0 scoring. The attack requires no user interaction and can be conducted remotely over the network.

Defensive priority

HIGH

Recommended defensive actions

  • Restrict network access to UTT HiPER 1250GW web management interfaces to trusted administrative hosts only
  • Monitor vendor security advisories for firmware updates addressing version 3.2.7-210907-180535 and earlier
  • Implement network segmentation to isolate affected devices from untrusted networks
  • Review device logs for anomalous requests to /goform/formConfigFastDirectionW endpoint
  • Consider disabling remote web management if not operationally required

Evidence notes

Vulnerability confirmed via Vuldb submission 818375 and CVE record. CVSS 4.0 vector indicates exploitable over network with low privileges required. CWE-121 (stack-based buffer overflow) and CWE-119 (improper restriction of operations within buffer bounds) identified.

Official resources

Public exploit available; no patch confirmed