CVE-2025-13442: UTT 750W Firmware RCE Vulnerability

CVE-2025-13442 Overview

CVE-2025-13442 is a command injection vulnerability affecting UTT 进取 750W routers running firmware versions up to 3.2.2-191225. The flaw resides in the system function within the /goform/formPdbUpConfig endpoint, where the policyNames parameter is passed unsanitized to a shell context. Attackers can exploit the issue remotely without authentication or user interaction. The exploit has been disclosed publicly, and the vendor did not respond to early disclosure attempts. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output).

Critical Impact

Unauthenticated remote attackers can inject arbitrary operating system commands through the policyNames parameter, gaining execution on the affected router.

Affected Products

• UTT 进取 750W router (hardware revision 5.0)
• UTT 750W firmware versions up to 3.2.2-191225
• Devices exposing the /goform/formPdbUpConfig web management endpoint

Discovery Timeline

• 2025-11-20 - CVE-2025-13442 published to NVD
• 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-13442

Vulnerability Analysis

The vulnerability exists in the HTTP handler for /goform/formPdbUpConfig on UTT 750W routers. The handler processes a policyNames request parameter and forwards its value into a system() call without input sanitization or argument escaping. Because the parameter is concatenated into a shell command string, attackers can append shell metacharacters such as ;, |, &&, or backticks to break out of the intended command context.

Exploitation requires only network reachability to the router's management interface. No credentials are required, and the attack does not depend on user interaction. The injected commands execute with the privileges of the web server process, which on embedded SOHO routers is typically root.

Public disclosure occurred through a GitHub issue and the VulDB entry. The vendor was contacted prior to disclosure but did not respond.

Root Cause

The root cause is the unsafe construction of a shell command string inside the formPdbUpConfig handler. User-controlled input from policyNames reaches a system() invocation without allow-list validation, escaping, or argument-based execution. This is a classic command injection pattern in embedded goform CGI handlers.

Attack Vector

The attack vector is network-based against the HTTP management interface. An attacker submits a crafted POST or GET request to /goform/formPdbUpConfig with shell metacharacters appended to the policyNames value. The router executes the injected payload during processing. Public technical details are available in the VulDB threat report.

The vulnerability mechanism is described in prose only because no verified exploit code has been released for inclusion here.

Detection Methods for CVE-2025-13442

Indicators of Compromise

• HTTP requests to /goform/formPdbUpConfig containing shell metacharacters such as ;, |, &, $(), or backticks within the policyNames parameter
• Unexpected outbound connections from the router to attacker-controlled hosts following management-interface traffic
• New or modified processes on the router that did not originate from firmware boot

Detection Strategies

• Inspect web server and reverse-proxy logs for POST or GET requests targeting /goform/formPdbUpConfig and flag values in policyNames that include non-alphanumeric characters
• Deploy network IDS signatures that match command injection patterns inside parameters submitted to UTT goform endpoints
• Compare router configuration snapshots over time to detect unauthorized policy changes that may indicate post-exploit persistence

Monitoring Recommendations

• Forward router syslog and HTTP access logs to a centralized logging platform for retention and correlation
• Alert on management-interface access from source addresses outside an approved administrative allow-list
• Monitor for unusual DNS lookups or outbound traffic originating from router IP addresses

How to Mitigate CVE-2025-13442

Immediate Actions Required

• Restrict access to the router's web management interface so it is reachable only from trusted administrative networks
• Disable remote WAN-side management on UTT 750W devices until a patched firmware is available
• Audit existing UTT 750W deployments for firmware version 3.2.2-191225 or earlier and prioritize them for compensating controls

Patch Information

The vendor was notified prior to public disclosure but did not respond, and no official patched firmware has been published at the time of NVD publication. Operators should monitor the UTT product pages and the GitHub disclosure thread for any future firmware update addressing CVE-2025-13442.

Workarounds

• Place the router's management interface behind a VPN or jump host and block direct internet exposure of HTTP/HTTPS management ports
• Apply firewall rules on upstream devices to drop traffic to /goform/formPdbUpConfig from untrusted sources
• Consider replacing affected UTT 750W devices with supported hardware if the vendor does not issue a fix

# Example upstream firewall rule (iptables) to block external access to the
# router's web management interface on port 80
iptables -A FORWARD -p tcp -d <ROUTER_IP> --dport 80 -m iprange \
  ! --src-range 10.0.0.0-10.0.0.255 -j DROP
iptables -A FORWARD -p tcp -d <ROUTER_IP> --dport 443 -m iprange \
  ! --src-range 10.0.0.0-10.0.0.255 -j DROP