Skip to content
Threat Feed
high threat exploited

UTT HiPER 1200GW Stack-Based Buffer Overflow Vulnerability (CVE-2026-10293)

A stack-based buffer overflow vulnerability (CVE-2026-10293) exists in UTT HiPER 1200GW up to version 2.5.3-170306 due to the strcpy function in /goform/formFireWall, allowing remote exploitation via manipulation of the Profile argument.

A stack-based buffer overflow vulnerability, tracked as CVE-2026-10293, has been identified in UTT HiPER 1200GW devices up to version 2.5.3-170306. The vulnerability lies within the strcpy function in the /goform/formFireWall file. An attacker can exploit this flaw by manipulating the Profile argument, leading to potential remote code execution. Publicly available exploit code exists, increasing the risk of active exploitation. This vulnerability poses a significant threat to organizations using affected UTT HiPER devices, potentially allowing unauthorized access and control over the network.

Attack Chain

  1. Attacker identifies a vulnerable UTT HiPER 1200GW device with version 2.5.3-170306 or earlier.
  2. Attacker sends a crafted HTTP request to the /goform/formFireWall endpoint.
  3. The HTTP request includes a malicious payload in the Profile argument, designed to cause a buffer overflow.
  4. The strcpy function copies the attacker-controlled Profile argument into a fixed-size buffer on the stack.
  5. Due to insufficient bounds checking, the copy operation overwrites adjacent memory regions on the stack.
  6. The attacker carefully crafts the payload to overwrite the return address, redirecting execution flow.
  7. Upon function return, execution jumps to the attacker-controlled address.
  8. Attacker gains remote code execution on the device, potentially allowing for complete system compromise.

Impact

Successful exploitation of CVE-2026-10293 can lead to complete compromise of the UTT HiPER 1200GW device. This could allow attackers to gain unauthorized access to the network, steal sensitive information, or use the device as a foothold for further attacks within the network. Given the publicly available exploit, the risk of widespread exploitation is elevated.

Recommendation

  • Apply available patches or upgrade to a non-vulnerable version of UTT HiPER 1200GW firmware to remediate CVE-2026-10293.
  • Monitor web server logs for suspicious POST requests to /goform/formFireWall with overly long Profile parameters, triggering the detection rule “Detect CVE-2026-10293 Exploitation Attempt - Long Profile Parameter”.
  • Implement network intrusion detection systems (IDS) rules to detect and block exploit attempts targeting CVE-2026-10293.

Detection coverage 2

Detect CVE-2026-10293 Exploitation Attempt - Long Profile Parameter

high

Detects CVE-2026-10293 exploitation attempt — Monitors web server logs for suspicious POST requests to /goform/formFireWall with unusually long Profile parameters, indicative of a buffer overflow attempt.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detect CVE-2026-10293 Exploitation Attempt - Abnormal HTTP Status Code

medium

Detects CVE-2026-10293 exploitation attempt — Detects abnormal server responses (5xx errors) following POST requests to /goform/formFireWall with 'Profile=' parameters, potentially indicating a server crash due to buffer overflow.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →