CVE-2026-2846
published 2026-02-20CVE-2026-2846: A security vulnerability has been detected in UTT HiPER 520 1.7.7-160105. This impacts the function sub_44D264 of the file /goform/formPdbUpConfig of the…
PriorityP267high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
9.82%
95.0th percentile
A security vulnerability has been detected in UTT HiPER 520 1.7.7-160105. This impacts the function sub_44D264 of the file /goform/formPdbUpConfig of the component Web Management Interface. The manipulation of the argument policyNames leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| utt | 520_firmware | — | — |
| utt | hiper_520 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/alc9700jmo/CVE/issues/20
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS UTT formPdbUpConfig policyNames Parameter Command Injection Attempt (CVE-2025-13442, CVE-2026-2846)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/goform/formPdbUpConfig"; fast_pattern; http.request_body; content:"policyNames|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/alc9700jmo/CVE/issues/20; reference:cve,2025-13442; reference:cve,2026-2846; classtype:attempted-admin; sid:2066303; rev:1; metadata:affected_product UTT, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_12_12, cve CVE_2025_13442, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Attack requires HTTP POST method targeting the exact URI /goform/formPdbUpConfig (URI length is exactly 23 bytes); match on this combination to identify exploitation attempts.
- →Request body must contain the 'policyNames=' parameter (URL-encoded as 'policyNames|3d|') followed by OS command injection metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
- →Traffic is expected in plaintext (non-TLS); deploy detection at the network perimeter and internally.
- →The vulnerability is in the function sub_44D264 within the Web Management Interface; exploitation is fully remote with no authentication requirement implied by public disclosure.
- ·The Snort/Suricata rule (ET sid:2066303) covers two CVEs simultaneously (CVE-2025-13442 and CVE-2026-2846); tune or split the rule if per-CVE attribution is required in your SIEM.
- ·The affected product is UTT HiPER 520 firmware version 1.7.7-160105; scope detection to networking equipment assets running this specific firmware to reduce false positives.
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.08.3HIGHAV:N/AC:L/Au:M/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS UTT formPdbUpConfig policyNames Parameter Command Injection Attempt (CVE-2025-13442, CVE-2026-2846)
suricata·2025-12-12·CVSS 6.9
CVE-2025-13442 [MEDIUM] ET WEB_SPECIFIC_APPS UTT formPdbUpConfig policyNames Parameter Command Injection Attempt (CVE-2025-13442, CVE-2026-2846)
ET WEB_SPECIFIC_APPS UTT formPdbUpConfig policyNames Parameter Command Injection Attempt (CVE-2025-13442, CVE-2026-2846)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS UTT formPdbUpConfig policyNames Parameter Command Injection Attempt (CVE-2025-13442, CVE-2026-2846)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/goform/formPdbUpConfig"; fast_pattern; http.request_body; content:"policyNames|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/alc9700jmo/CVE/issues/20; reference:cve,2025-13442; reference:cve,2026-2846; classtype:attempted-admin; sid:2066303; rev:1; metadata:affected_product UTT, attack_target Networking_Equipment, tls_state plaintext
No public exploits indexed.
No writeups or analysis indexed.
2026-02-20
Published