CVE-2026-2135

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions UTT HiPER 810 version 1.7.4-141218

Description A flaw exists in UTT HiPER 810 that allows for remote command injection. The issue is located in the sub 43F020 function within the /goform/formPdbUpConfig file. Manipulation of the policyNames argument can lead to the execution of arbitrary commands. The exploit for this issue is publicly available.

Recommendations Versions prior to 1.7.4-141218 are not affected. As a mitigation, restrict access to the /goform/formPdbUpConfig file. Avoid using the policyNames argument in the affected API endpoint /goform/formPdbUpConfig until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Command Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-74

Related Identifiers

BDU:2026-02483

CVE-2026-2135

Affected Products

Utt Hiper 810

CVE-2026-2135

Weakness Enumeration

Related Identifiers

Affected Products

References · 10