UTT HiPER 810 formUser setSysAdm command injection

A vulnerability has been found in UTT HiPER 810 1.7.4-141218. This issue affects the function setSysAdm of the file /goform/formUser. The manipulation of the argument passwd1 leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Problem type

Affected products

UTT

HiPER 810

1.7.4-141218 - AFFECTED

References

VDB-344646 | UTT HiPER 810 formUser setSysAdm command injection

https://vuldb.com/?id.344646

vdb-entrytechnical-description

VDB-344646 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.344646

signaturepermissions-required

Submit #745521 | UTT HiPER 810 / nv810v4 nv810v4v1.7.4-141218 Command Injection

https://vuldb.com/?submit.745521

third-party-advisory

github.com

https://github.com/cha0yang1/UTT810CVE/blob/main/README.md

github.com

https://github.com/cha0yang1/UTT810CVE/blob/main/README.md#reproduction-steps

exploit

GitHub Security Advisories

GHSA-f6xg-v873-2j3q

A vulnerability has been found in UTT HiPER 810 1.7.4-141218. This issue affects the function...

https://github.com/advisories/GHSA-f6xg-v873-2j3q

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-2080

github.com

https://github.com/cha0yang1/UTT810CVE/blob/main/README.md

github.com

https://github.com/cha0yang1/UTT810CVE/blob/main/README.md#reproduction-steps

vuldb.com

https://vuldb.com/?ctiid.344646

vuldb.com

https://vuldb.com/?id.344646

vuldb.com

https://vuldb.com/?submit.745521

github.com

https://github.com/advisories/GHSA-f6xg-v873-2j3q

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-2080

Click to expand

{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-2080",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2026-02-07T09:02:06.706Z",
    "dateReserved": "2026-02-06T08:00:39.436Z",
    "datePublished": "2026-02-07T09:02:06.706Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2026-02-07T09:02:06.706Z"
      },
      "title": "UTT HiPER 810 formUser setSysAdm command injection",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been found in UTT HiPER 810 1.7.4-141218. This issue affects the function setSysAdm of the file /goform/formUser. The manipulation of the argument passwd1 leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "affected": [
        {
          "vendor": "UTT",
          "product": "HiPER 810",
          "versions": [
            {
              "version": "1.7.4-141218",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Command Injection",
              "cweId": "CWE-77",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Injection",
              "cweId": "CWE-74",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.344646",
          "name": "VDB-344646 | UTT HiPER 810 formUser setSysAdm command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.344646",
          "name": "VDB-344646 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.745521",
          "name": "Submit #745521 | UTT HiPER 810 / nv810v4 nv810v4v1.7.4-141218 Command Injection",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://github.com/cha0yang1/UTT810CVE/blob/main/README.md",
          "tags": [
            "related"
          ]
        },
        {
          "url": "https://github.com/cha0yang1/UTT810CVE/blob/main/README.md#reproduction-steps",
          "tags": [
            "exploit"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "baseScore": 7.2,
            "baseSeverity": "HIGH"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "baseScore": 7.2,
            "baseSeverity": "HIGH"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
            "baseScore": 8.3
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-02-06T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2026-02-06T01:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2026-02-06T09:05:44.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "cha0yang (VulDB User)",
          "type": "reporter"
        }
      ]
    }
  }
}