CVE-2025-10170 in 1200GW
Summary
by MITRE • 09/10/2025
A security vulnerability has been detected in UTT 1200GW up to 3.0.0-170831. This affects the function sub_4B48F8 of the file /goform/formApLbConfig. Such manipulation of the argument loadBalanceNameOld leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/10/2025
The vulnerability identified as CVE-2025-10170 represents a critical buffer overflow flaw in the UTT 1200GW network device firmware version 3.0.0-170831 and earlier. This vulnerability specifically targets the sub_4B48F8 function within the /goform/formApLbConfig file, which handles load balancing configuration operations. The flaw arises from improper input validation when processing the loadBalanceNameOld argument, creating a condition where maliciously crafted input can exceed the allocated buffer space and overwrite adjacent memory regions. The vulnerability's remote exploitability means that attackers can trigger this condition without physical access to the device, making it particularly dangerous for network infrastructure deployments.
The technical implementation of this buffer overflow stems from insufficient bounds checking in the firmware's web interface handling code. When the system processes configuration requests through the formApLbConfig endpoint, the loadBalanceNameOld parameter is not properly sanitized or validated against maximum length constraints. This allows an attacker to send specially crafted requests that exceed the buffer capacity, potentially leading to arbitrary code execution or system crashes. The vulnerability aligns with CWE-121, which describes stack-based buffer overflow conditions, and may also exhibit characteristics of CWE-787, representing out-of-bounds write vulnerabilities. The attack vector operates through the web-based management interface, making it accessible to anyone with network connectivity to the device's administrative port.
The operational impact of this vulnerability extends beyond simple system instability, as it provides potential attackers with opportunities for privilege escalation and persistent access to network infrastructure. Successful exploitation could enable attackers to gain unauthorized administrative control over the UTT 1200GW device, potentially allowing them to modify network configurations, intercept traffic, or use the device as a pivot point for attacks against other network segments. Given that the exploit has been publicly disclosed and is actively available, the window for defensive action is limited, particularly since the vendor has not provided any response or patch despite early notification. This scenario represents a significant risk for organizations relying on this equipment, as it creates an immediate threat landscape where adversaries can leverage this vulnerability without requiring specialized knowledge or expensive tools.
Organizations must implement immediate mitigations while awaiting vendor patches to address this vulnerability. Network segmentation should be employed to limit access to administrative interfaces, and strict firewall rules should be implemented to restrict access to the device's web management ports. Additionally, monitoring for suspicious network traffic patterns and anomalous configuration changes can help detect exploitation attempts. The vulnerability's classification under the MITRE ATT&CK framework would likely map to techniques such as T1059 for command execution and T1071 for application layer protocol usage, as attackers would need to leverage the web interface to deliver malicious payloads. Regular firmware updates and vulnerability assessments should be prioritized, while organizations should consider alternative network infrastructure solutions if the vendor fails to provide a timely resolution to this critical security flaw.