Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in UTT HiPER 1200GW up to 2.5.3-170306. Affected is an unknown function of the file /goform/formPptpClientConfig of the component Web Management Interface. This manipulation of the argument PPTP server address/username/password/tunnel name causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.
AnalysisAI
Stack-based buffer overflow in the UTT HiPER 1200GW router's Web Management Interface lets an authenticated, network-adjacent attacker corrupt memory by submitting oversized values to the PPTP client configuration handler (/goform/formPptpClientConfig), affecting firmware up to 2.5.3-170306. A successful overflow can crash the device or potentially achieve code execution on the embedded gateway, with high confidentiality, integrity, and availability impact on the device itself. Publicly available exploit code exists (CVSS 4.0 base 7.4), but the EPSS score is very low at 0.04% (13th percentile) and the issue is not listed in CISA KEV.
Technical ContextAI
The vulnerability resides in the CGI-style web handler /goform/formPptpClientConfig, the endpoint that configures the device's PPTP VPN client (server address, username, password, and tunnel name). On embedded SOHO routers like the UTT HiPER series, these goform handlers parse HTTP form parameters into fixed-size stack buffers in native C with no length validation, which is the classic root cause behind CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). Supplying a PPTP field longer than the destination buffer overwrites adjacent stack memory, including saved registers and the return address, leading to a control-flow hijack or crash on the MIPS/ARM-class processor typical of these gateways. No CPE string was provided in the source data beyond the version label HiPER 1200GW 2.5.3-170306, so the precise affected hardware/firmware matrix is limited to that single build.
RemediationAI
No vendor-released patch was identified at time of analysis, and no UTT advisory URL is present in the available references, so a fixed firmware version cannot be cited. Because the flaw is reached only through the Web Management Interface by an authenticated user, the most effective compensating control is to restrict reachability of that interface: disable remote/WAN-side management entirely and bind administration to a trusted management VLAN or specific admin host (trade-off: legitimate remote administration is lost and must be done via VPN or on-site). Additionally, replace any default or weak administrative credentials and enforce strong unique passwords to make the PR:L precondition harder to satisfy, restrict access to the /goform/formPptpClientConfig endpoint and the PPTP client feature if VPN client functionality is unused, and monitor the device for unexpected reboots or crashes that may indicate overflow attempts. If the device is end-of-life or no fix is forthcoming, plan migration to a supported model, since the underlying buffer-handling defect will otherwise remain. Validate any future firmware against the VulDB entry (https://vuldb.com/vuln/365684) and the vendor's site before relying on it.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32031
GHSA-82pj-c6qc-rcq2