How to fix EUVD-2025-18354?

Within 24 hours: Identify and inventory all affected UTT 进取 750W devices in your environment; isolate critical instances from production networks if possible. Within 7 days: Implement network segmentation to restrict administrative access to affected devices; deploy WAF rules to block POST requests to /goform/setSysAdm endpoint; disable remote administrative access if operationally feasible. Within 30 days: Evaluate replacement devices from vendors with active security support; contact UTT for patch availability status; conduct forensic audit for signs of compromise.

Is 750w Firmware affected by EUVD-2025-18354?

A critical remote code execution vulnerability (CVE-2025-6098) affects UTT 进取 750W devices up to version 5.0, with a public exploit available and no vendor patch.

EUVD-2025-18354

| CVE-2025-6098 CRITICAL

2025-06-16 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18354

PoC Detected

Jan 08, 2026 - 21:22 vuln.today

Public exploit code

CVE Published

Jun 16, 2025 - 01:15 nvd

CRITICAL 9.8

Description

A vulnerability was found in UTT 进取 750W up to 5.0. It has been classified as critical. This affects the function strcpy of the file /goform/setSysAdm of the component API. The manipulation of the argument passwd1 leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Analysis

Critical remote buffer overflow vulnerability in UTT 进取 750W network devices affecting the /goform/setSysAdm API endpoint. An unauthenticated remote attacker can exploit improper use of strcpy() in the passwd1 parameter to achieve complete system compromise (confidentiality, integrity, and availability). A public proof-of-concept exploit exists, and the vendor has not provided patches or response despite early disclosure notification.

Technical Context

This vulnerability stems from CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), specifically unsafe use of strcpy() without bounds checking in the /goform/setSysAdm API endpoint. The affected component is a web-based administrative interface on UTT 进取 750W devices (versions up to 5.0). The strcpy() function copies user-supplied input from the 'passwd1' parameter directly into a fixed-size buffer on the stack, enabling stack-based buffer overflow. No input validation or length restrictions are applied before the copy operation. CPE identification suggests embedded networking equipment (likely industrial/commercial-grade router or gateway). The vulnerability is remotely exploitable over HTTP/HTTPS without authentication, making the attack surface extremely broad.

Affected Products

进取 750W (up to 5.0)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +49

POC: +20

EUVD-2025-18354 vulnerability details – vuln.today

Back

EUVD-2025-18354

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2025-18354

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code