How is CVE-2026-10293 exploited?

Network reachability (required): The vulnerable formFireWall endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the device's management interface. Authentication (required): The CVSS vector specifies PR:L, meaning any low-privilege account on the device is sufficient to reach the vulnerable code path. Victim interaction (not-required): Exploitation is fully attacker-driven; no action from a logged-in user or administrator is needed to trigger the overflow. Attack complexity (info): Attack complexity is rated Low, meaning the overflow is reliably triggerable without needing to meet race conditions or specific memory layout requirements.

What is the impact of CVE-2026-10293?

The attacker gains full read access to data processed by the device, including credentials, session tokens, and cleartext traffic passing through the router. The attacker can modify firewall rules and routing configuration, redirecting or intercepting traffic flows. The attacker can crash the device or render it unresponsive, disrupting all network connectivity for hosts behind the gateway. Because the overflow targets kernel or privileged firmware code on a network edge device, post-exploitation persistence is achievable with no further authentication.

Back to search

HIGHCVE-2026-10293Published 2026-06-01Modified 2026-06-02CNA VulDB

CVE-2026-10293: UTT HiPER 1200GW formFireWall strcpy stack-based overflow

A flaw has been found in UTT HiPER 1200GW up to 2.5.3-170306. This impacts the function strcpy of the file /goform/formFireWall. This manipulation of the argument Profile causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the UTT HiPER 1200GW router firmware, affecting all versions up to 2.5.3-170306. The flaw is in the formFireWall form handler, where the Profile argument is copied into a fixed-size stack buffer using strcpy without bounds checking; a low-privileged attacker can reach it over the network. Successful exploitation gives the attacker full control over the device, including the ability to read, modify, or disrupt all traffic flowing through it. No upstream fix has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-10293 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including VulDB, NVD, and vendor advisories. Coverage extends to custom-built images that bundle UTT HiPER 1200GW firmware or derived components, not only images pulled from public registries.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 4.0 8.7 (HIGH) and weighting it against each customer organization's compliance policy to determine urgency and routing. Triage alerts can be directed to the appropriate team inbox based on per-environment policy configuration, so the right owner receives the finding without manual sorting.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment UTT ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated immediately upon upstream patch availability.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable formFireWall endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the device's management interface.
AuthenticationRequired
The CVSS vector specifies PR:L, meaning any low-privilege account on the device is sufficient to reach the vulnerable code path.
Victim interactionNot required
Exploitation is fully attacker-driven; no action from a logged-in user or administrator is needed to trigger the overflow.
Attack complexityDetail
Attack complexity is rated Low, meaning the overflow is reliably triggerable without needing to meet race conditions or specific memory layout requirements.

Blast Radius

The attacker gains full read access to data processed by the device, including credentials, session tokens, and cleartext traffic passing through the router.
The attacker can modify firewall rules and routing configuration, redirecting or intercepting traffic flows.
The attacker can crash the device or render it unresponsive, disrupting all network connectivity for hosts behind the gateway.
Because the overflow targets kernel or privileged firmware code on a network edge device, post-exploitation persistence is achievable with no further authentication.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10293 is active now, matching any image found to bundle UTT HiPER 1200GW firmware up to version 2.5.3-170306. Because no upstream fix exists, HarborGuard monitors the VulDB and NVD advisory records on every ingest cycle. As compensating controls, customers are encouraged to use network-policy isolation to restrict access to the device management interface to trusted source IPs only, apply egress filtering to prevent the device from initiating outbound connections if it is compromised, and review whether web-based firewall management can be disabled or firewalled at the perimeter. Where compliance policy permits, the moment UTT publishes a patched firmware version, HarborGuard will make a rebuilt image available and, for customers with auto-remediation enabled, will open a PR against affected workloads after running a regression test pass.

See how HarborGuard automates this

Affected packages

UTT / HiPER 1200GW
2.5.3-170306

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified