Overview
A high-severity command injection vulnerability, identified as CVE-2025-13442, has been discovered in UTT 进取 750W devices up to version 3.2.2-191225. This vulnerability allows a remote attacker to execute arbitrary commands on the affected system. The vulnerability resides within the /goform/formPdbUpConfig endpoint and is triggered by manipulating the policyNames argument. This issue has been publicly disclosed and is actively exploitable. Attempts to contact the vendor have been unsuccessful.
Technical Details
The vulnerability exists within the /goform/formPdbUpConfig endpoint, which is responsible for handling configuration updates. By crafting a malicious request that includes shell metacharacters within the policyNames argument, an attacker can inject arbitrary commands into the system’s operating system. Due to insufficient input validation and sanitization, the system executes these injected commands with elevated privileges. The vulnerable function is located within the system component.
Specifically, the application fails to properly sanitize input received via the policyNames parameter. This allows an attacker to inject shell commands, potentially leading to complete system compromise.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 7.3, indicating a high severity. The CVSS vector is likely AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This breaks down as follows:
- Attack Vector (AV): Network (N) – The vulnerability can be exploited remotely.
- Attack Complexity (AC): Low (L) – Exploitation requires minimal effort.
- Privileges Required (PR): None (N) – No privileges are required to exploit the vulnerability.
- User Interaction (UI): None (N) – No user interaction is required.
- Scope (S): Unchanged (U) – The vulnerability does not affect components beyond the affected resource.
- Confidentiality Impact (C): High (H) – There is a high impact to confidentiality.
- Integrity Impact (I): High (H) – There is a high impact to integrity.
- Availability Impact (A): High (H) – There is a high impact to availability.
Possible Impact
Successful exploitation of this vulnerability could lead to a number of severe consequences, including:
- Complete System Compromise: An attacker could gain full control of the affected device.
- Data Theft: Sensitive data stored on the device could be accessed and stolen.
- Malware Installation: The device could be used to install malware, such as botnets or ransomware.
- Denial of Service (DoS): The device could be rendered unusable, disrupting services and operations.
- Lateral Movement: Compromised devices could be used as a springboard to attack other systems on the network.
Mitigation or Patch Steps
Unfortunately, the vendor has not responded to vulnerability reports or provided a patch at this time. Given the lack of vendor support, the following steps are recommended:
- Discontinue Use: The most effective mitigation is to immediately discontinue use of the affected UTT 进取 750W devices.
- Network Segmentation: If discontinuing use is not possible, isolate the device on a segmented network to limit the potential impact of a successful attack.
- Firewall Restrictions: Implement strict firewall rules to restrict access to the
/goform/formPdbUpConfigendpoint from untrusted networks. - Intrusion Detection Systems (IDS): Deploy an IDS to monitor network traffic for suspicious activity related to this vulnerability.
- Monitor for Compromise: Continuously monitor the device for signs of compromise, such as unusual network activity or unauthorized access attempts.
It’s crucial to emphasize the severity and lack of vendor response, encouraging users to prioritize device replacement if possible.
