CVE-2025-13442

UTT 进取 750W formPdbUpConfig system command injection

CVSS 6.9 MEDIUMEPSS 17.6%CWE-74 CWE-77

In short

A web interface in UTT 进取 750W devices allows attackers to inject system commands through a form parameter called policyNames. An attacker can remotely execute arbitrary commands on the device without needing authentication.

Technical detail

CWE-74/CWE-77 command injection vulnerability in the /goform/formPdbUpConfig endpoint allows unauthenticated remote code execution via unsanitized policyNames parameter. The vulnerability affects UTT 进取 750W up to version 3.2.2-191225 and requires only network access to exploit; no authentication is required.

Summary generated and translated by AI from the official description.

A security vulnerability has been detected in UTT 进取 750W up to 3.2.2-191225. Affected by this vulnerability is the function system of the file /goform/formPdbUpConfig. Such manipulation of the argument policyNames leads to command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Affected products

UTT · 进取 750W

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/alc9700jmo/CVE/issues/20 https://vuldb.com/?ctiid.333015 https://vuldb.com/?id.333015 https://vuldb.com/?submit.688782