CVE-2026-2188

7.2 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary operating system commands on UTT 进取 521G devices through command injection in the formPdbUpConfig function. Attackers can exploit this by manipulating the policyNames argument, potentially gaining full control of affected devices. Organizations using UTT 进取 521G version 3.1.1-190816 are affected.

💻 Affected Systems

Products:

• UTT 进取 521G

Versions: 3.1.1-190816

Operating Systems: Embedded Linux/RTOS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web management interface's form processing function. No special configuration is required for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, steal sensitive data, pivot to internal networks, or use devices as botnet nodes.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if devices are isolated in separate network segments with strict egress filtering and monitored for suspicious activity.

🌐 Internet-Facing: HIGH - Attackers can exploit remotely without authentication, making exposed devices immediate targets.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this, but requires network access to the device.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details are available on GitHub, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch is currently available. Monitor vendor channels for updates and apply immediately when released.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices in separate VLANs with strict firewall rules to prevent external access and limit lateral movement.

Access Control

linux

Restrict access to the device's management interface to trusted IP addresses only using firewall rules.

Copy

iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

• Immediately remove affected devices from internet-facing positions and place behind firewalls with strict ingress/egress filtering.
• Implement network monitoring for unusual outbound connections or command execution patterns from these devices.

🔍 How to Verify

Check if Vulnerable:

Copy

Check device version via web interface or CLI. If running 3.1.1-190816, assume vulnerable.

Check Version:

Copy

Check web interface system info page or use device-specific CLI commands if available.

Verify Fix Applied:

Copy

Verify version has been updated beyond 3.1.1-190816 when vendor releases patch.

📡 Detection & Monitoring

Log Indicators:

• Unusual POST requests to /goform/formPdbUpConfig
• Suspicious command execution in system logs
• Multiple failed login attempts followed by successful access

Network Indicators:

• Unexpected outbound connections from device
• Traffic to known malicious IPs
• Unusual port activity from device

SIEM Query:

Copy

source="device_logs" AND (url="/goform/formPdbUpConfig" OR cmd="*;*" OR cmd="*|*" OR cmd="*`*" OR cmd="*$(*")

📊 Metadata

CVE ID: CVE-2026-2188

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.4% exploit probability (60.1th percentile)

Published: February 8, 2026

Last Updated: February 9, 2026

🔗 References

• https://github.com/cha0yang1/UTT521G/blob/main/RCE2.md
• https://vuldb.com/?ctiid.344891
• https://vuldb.com/?id.344891
• https://vuldb.com/?submit.749733

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2188, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)

CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)

CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)