Hiper 2610G
Monthly
Stack buffer overflow in UTT HiPER 2610G routers (firmware through 3.0.0-171107) allows authenticated remote attackers to corrupt memory by submitting an oversized GroupName parameter to the /goform/formConfigDnsFilterGlobal endpoint, which passes the input to an unsafe strcpy call. Publicly available exploit code exists (disclosed via VulDB and a GitHub PoC), and successful exploitation can compromise confidentiality, integrity, and availability of the device - typically meaning router takeover or denial of service. The issue is not listed in CISA KEV, so it is not confirmed actively exploited at this time.
Buffer overflow in UTT HiPER 2610G firmware (up to 3.0.0-171107) enables an authenticated, adjacent-network attacker to corrupt memory via an unsafe strcpy call in the web management NAT static mapping form handler. By supplying an oversized NatBinds argument to /goform/formNatStaticMap, an attacker can achieve low-level impacts across confidentiality, integrity, and availability on the targeted device. No KEV listing is present, but a public proof-of-concept is confirmed on GitHub, materially lowering the exploitation barrier for any attacker already on the local network.
Stack buffer overflow in UTT HiPER 2610G routers (firmware through 3.0.0-171107) allows authenticated remote attackers to corrupt memory by submitting an oversized GroupName parameter to the /goform/formConfigDnsFilterGlobal endpoint, which passes the input to an unsafe strcpy call. Publicly available exploit code exists (disclosed via VulDB and a GitHub PoC), and successful exploitation can compromise confidentiality, integrity, and availability of the device - typically meaning router takeover or denial of service. The issue is not listed in CISA KEV, so it is not confirmed actively exploited at this time.
Buffer overflow in UTT HiPER 2610G firmware (up to 3.0.0-171107) enables an authenticated, adjacent-network attacker to corrupt memory via an unsafe strcpy call in the web management NAT static mapping form handler. By supplying an oversized NatBinds argument to /goform/formNatStaticMap, an attacker can achieve low-level impacts across confidentiality, integrity, and availability on the targeted device. No KEV listing is present, but a public proof-of-concept is confirmed on GitHub, materially lowering the exploitation barrier for any attacker already on the local network.