What is the CVSS score of CVE-2025-6098?

CVE-2025-6098 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of 750w Firmware are affected by CVE-2025-6098?

A critical remote code execution vulnerability (CVE-2025-6098) affects UTT 进取 750W devices up to version 5.0, with a public exploit available and no vendor patch.

Is there a public PoC exploit available for CVE-2025-6098?

Yes, a public proof-of-concept exploit is available for CVE-2025-6098. Prioritise patching immediately. EPSS: 0.3%.

How to fix or mitigate CVE-2025-6098?

Within 24 hours: Identify and inventory all affected UTT 进取 750W devices in your environment; isolate critical instances from production networks if possible. Within 7 days: Implement network segmentation to restrict administrative access to affected devices; deploy WAF rules to block POST requests to /goform/setSysAdm endpoint; disable remote administrative access if operationally feasible. Within 30 days: Evaluate replacement devices from vendors with active security support; contact UTT for patch availability status; conduct forensic audit for signs of compromise.

750w Firmware CVE-2025-6098

EUVD-2025-18354 CRITICAL

Buffer Overflow (CWE-119)

2025-06-16 cna@vuldb.com

Buffer Overflow 750w Firmware

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18354

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

PoC Detected

Jan 08, 2026 - 21:22 vuln.today

Public exploit code

CVE Published

Jun 16, 2025 - 01:15 nvd

CRITICAL 9.8

DescriptionCVE.org

A vulnerability was found in UTT 进取 750W up to 5.0. It has been classified as critical. This affects the function strcpy of the file /goform/setSysAdm of the component API. The manipulation of the argument passwd1 leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Critical remote buffer overflow vulnerability in UTT 进取 750W network devices affecting the /goform/setSysAdm API endpoint. An unauthenticated remote attacker can exploit improper use of strcpy() in the passwd1 parameter to achieve complete system compromise (confidentiality, integrity, and availability). A public proof-of-concept exploit exists, and the vendor has not provided patches or response despite early disclosure notification.

Technical ContextAI

This vulnerability stems from CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), specifically unsafe use of strcpy() without bounds checking in the /goform/setSysAdm API endpoint. The affected component is a web-based administrative interface on UTT 进取 750W devices (versions up to 5.0). The strcpy() function copies user-supplied input from the 'passwd1' parameter directly into a fixed-size buffer on the stack, enabling stack-based buffer overflow. No input validation or length restrictions are applied before the copy operation. CPE identification suggests embedded networking equipment (likely industrial/commercial-grade router or gateway). The vulnerability is remotely exploitable over HTTP/HTTPS without authentication, making the attack surface extremely broad.

CVE-2025-6098 vulnerability details – vuln.today

Back

750w Firmware CVE-2025-6098

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Share

External POC / Exploit Code