📄 Description (English)
A vulnerability has been found in UTT HiPER 810 1.7.4-141218. This issue affects the function setSysAdm of the file /goform/formUser. The manipulation of the argument passwd1 leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
🤖 AI Executive Summary
CVE-2026-2080 is a critical command injection vulnerability in UTT HiPER 810 firmware (v1.7.4-141218) affecting the setSysAdm function. An unauthenticated attacker can inject arbitrary commands via the passwd1 parameter, leading to complete system compromise. With public exploit availability and vendor non-responsiveness, immediate patching is essential for all affected deployments in Saudi Arabia.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 9, 2026 03:33
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses severe risk to Saudi telecommunications infrastructure (STC, Mobily, Zain), government networks (NCA, CITC), and banking sector (SAMA-regulated institutions). UTT HiPER 810 devices are commonly deployed as network management and access control systems in critical infrastructure. Successful exploitation enables complete device takeover, lateral network movement, and potential disruption of essential services. Government entities and financial institutions using these devices face immediate operational and compliance risks.
🏢 Affected Saudi Sectors
Telecommunications (STC, Mobily, Zain)
Government (NCA, CITC, Ministry of Interior)
Banking and Financial Services (SAMA-regulated institutions)
Energy (ARAMCO, power utilities)
Healthcare (Ministry of Health)
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all UTT HiPER 810 devices running firmware 1.7.4-141218 across your infrastructure
2. Isolate affected devices from production networks or implement network segmentation
3. Disable remote access to /goform/formUser endpoint via firewall rules
4. Change all administrative credentials immediately
PATCHING:
1. Contact UTT for available firmware updates beyond 1.7.4-141218
2. Test patches in isolated lab environment before production deployment
3. Schedule maintenance windows for firmware updates on all affected devices
4. Verify patch installation and confirm firmware version post-update
COMPENSATING CONTROLS (if patch unavailable):
1. Implement WAF rules to block requests to /goform/formUser containing special characters (;|&$`)
2. Restrict network access to management interfaces via IP whitelisting
3. Deploy IDS/IPS signatures detecting command injection patterns in passwd1 parameter
4. Enable comprehensive logging and monitoring of all administrative access
5. Implement network segmentation isolating management interfaces
DETECTION:
1. Monitor for HTTP POST requests to /goform/formUser with encoded/special characters in passwd1
2. Alert on successful command execution patterns following setSysAdm function calls
3. Track firmware version changes and unauthorized administrative access
4. Implement SIEM rules for detecting command injection attack signatures
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع أجهزة UTT HiPER 810 التي تعمل بالإصدار 1.7.4-141218 عبر البنية التحتية
2. عزل الأجهزة المتأثرة عن شبكات الإنتاج أو تطبيق تقسيم الشبكة
3. تعطيل الوصول البعيد إلى نقطة نهاية /goform/formUser عبر قواعد جدار الحماية
4. تغيير جميع بيانات اعتماد المسؤول فورًا
التصحيح:
1. الاتصال بـ UTT للحصول على تحديثات البرنامج الثابت المتاحة بعد 1.7.4-141218
2. اختبار التصحيحات في بيئة معملية معزولة قبل نشر الإنتاج
3. جدولة نوافذ الصيانة لتحديثات البرنامج الثابت على جميع الأجهزة المتأثرة
4. التحقق من تثبيت التصحيح وتأكيد إصدار البرنامج الثابت بعد التحديث
الضوابط البديلة:
1. تطبيق قواعد WAF لحظر الطلبات إلى /goform/formUser التي تحتوي على أحرف خاصة
2. تقييد الوصول إلى واجهات الإدارة عبر قائمة بيضاء للعناوين
3. نشر توقيعات IDS/IPS للكشف عن أنماط حقن الأوامر
4. تفعيل السجلات الشاملة ومراقبة جميع الوصول الإداري
5. تطبيق تقسيم الشبكة لعزل واجهات الإدارة
الكشف:
1. مراقبة طلبات HTTP POST إلى /goform/formUser بأحرف مشفرة/خاصة
2. التنبيه على أنماط تنفيذ الأوامر الناجحة بعد استدعاءات setSysAdm
3. تتبع تغييرات إصدار البرنامج الثابت والوصول الإداري غير المصرح به
4. تطبيق قواعد SIEM للكشف عن توقيعات هجمات حقن الأوامر
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies (administrative access restrictions)
ECC 2024 A.5.2.1 - User Registration and Access Rights Management
ECC 2024 A.6.2.1 - Restriction of Access to Information (network segmentation)
ECC 2024 A.12.4.1 - Event Logging (monitoring and detection requirements)
ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities (patch management)
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset Management (inventory of affected devices)
SAMA CSF PR.AC-1 - Access Control (authentication and authorization)
SAMA CSF PR.PT-1 - Protection Processes (vulnerability management)
SAMA CSF DE.CM-1 - Detection and Analysis (monitoring and logging)
SAMA CSF RS.MI-1 - Incident Response (containment and remediation)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control (user access management)
ISO 27001:2022 A.8.1 - Cryptography (secure authentication)
ISO 27001:2022 A.12.2.1 - Information and Communication Technology (ICT) Change Management
ISO 27001:2022 A.12.6.1 - Management of Technical Vulnerabilities
ISO 27001:2022 A.12.4.1 - Event Logging (detection and monitoring)
🔗 References & Sources 5
🔗
https://github.com/cha0yang1/UTT810CVE/blob/main/README.md
cna@vuldb.com
Exploit
Third Party Advisory
🔗
https://github.com/cha0yang1/UTT810CVE/blob/main/README.md#reproduction-steps
cna@vuldb.com
Exploit
Third Party Advisory
🔗
https://vuldb.com/?ctiid.344646
cna@vuldb.com
Permissions Required
VDB Entry
🔗
https://vuldb.com/?id.344646
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/?submit.745521
cna@vuldb.com
Third Party Advisory
VDB Entry
📦 Affected Products / CPE 1 entries
utt:810_firmware:1.7.4-141218