CVE-2025-10953
published 2025-09-25CVE-2025-10953: A security vulnerability has been detected in UTT 1200GW and 1250GW up to 3.0.0-170831/3.2.2-200710. This vulnerability affects unknown code of the file…
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.41%
90.1th percentile
A security vulnerability has been detected in UTT 1200GW and 1250GW up to 3.0.0-170831/3.2.2-200710. This vulnerability affects unknown code of the file /goform/formApMail. The manipulation of the argument senderEmail leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| utt | 1200gw | — | — |
| utt | 1200gw | — | — |
| utt | 1200gw_firmware | <= 3.0.0-170831 | — |
| utt | 1250gw | — | — |
| utt | 1250gw | — | — |
| utt | 1250gw_firmware | <= 3.2.2-200710 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /goform/formApMail
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS UTT formApMail senderEmail Parameter Buffer Overflow Attempt (CVE-2025-10953)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:18; content:"/goform/formApMail"; fast_pattern; http.request_body; content:"senderEmail|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/cymiao1978/cve/blob/main/9.md; reference:cve,2025-10953; classtype:web-application-attack; sid:2064930; rev:1; metadata:affected_product UTT, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_09_25, cve CVE_2025_10953, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Trigger on HTTP POST requests to /goform/formApMail where the senderEmail parameter value is 100 or more characters (not containing '&'), indicating a buffer overflow attempt.
- →The URI path /goform/formApMail has an exact byte size of 18; use bsize matching to reduce false positives.
- →Attack is plaintext (non-TLS) and should be monitored at the network perimeter and internally on inbound HTTP traffic to networking equipment.
- →The exploit PoC has been publicly disclosed; reference the GitHub PoC for payload patterns.
- ·Affected versions are UTT 1200GW and 1250GW up to firmware 3.0.0-170831 and 3.2.2-200710 respectively. Ensure detection scope is limited to these device models/versions to avoid false positives on other UTT products. ↗
- ·The vendor did not respond to disclosure; no official patch is confirmed. Detection/blocking at the network perimeter is the primary mitigation. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS UTT formApMail senderEmail Parameter Buffer Overflow Attempt (CVE-2025-10953)
suricata·2025-09-25·CVSS 7.4
CVE-2025-10953 [HIGH] ET WEB_SPECIFIC_APPS UTT formApMail senderEmail Parameter Buffer Overflow Attempt (CVE-2025-10953)
ET WEB_SPECIFIC_APPS UTT formApMail senderEmail Parameter Buffer Overflow Attempt (CVE-2025-10953)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS UTT formApMail senderEmail Parameter Buffer Overflow Attempt (CVE-2025-10953)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:18; content:"/goform/formApMail"; fast_pattern; http.request_body; content:"senderEmail|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/cymiao1978/cve/blob/main/9.md; reference:cve,2025-10953; classtype:web-application-attack; sid:2064930; rev:1; metadata:affected_product UTT, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_09_25, cve CVE_2025_10953, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, sig
No public exploits indexed.
No writeups or analysis indexed.
2025-09-25
Published