CVE-2025-13442 is a command injection vulnerability identified in the UTT 进取 750W device firmware versions up to 3.2.2-191225. The flaw resides in the handling of the policyNames parameter within the /goform/formPdbUpConfig web interface endpoint. This parameter is passed directly to a system function without adequate sanitization or validation, enabling an attacker to inject arbitrary commands executed with the privileges of the affected system. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing the risk of automated or targeted attacks. The vendor was contacted early but has not issued any patches or advisories, leaving the vulnerability unmitigated. The CVSS 4.0 score of 6.9 reflects a medium severity level, considering the network attack vector, low attack complexity, and no privileges or user interaction needed. The vulnerability impacts confidentiality, integrity, and availability, as attackers can execute commands to exfiltrate data, alter system behavior, or disrupt services. Although no active exploits have been reported in the wild, public disclosure of the exploit code increases the likelihood of future attacks. The affected product is used in various network environments, potentially including enterprise and industrial settings, where compromise could have significant operational consequences.

For European organizations deploying the UTT 进取 750W device, this vulnerability poses a significant risk of unauthorized remote code execution. Attackers exploiting this flaw can gain control over the device, potentially pivoting to internal networks, stealing sensitive information, or disrupting critical services. The lack of authentication and user interaction requirements means attacks can be automated and launched at scale. Confidentiality is at risk due to possible data exfiltration, integrity can be compromised by unauthorized configuration changes or malware installation, and availability may be affected by denial-of-service conditions triggered by malicious commands. Organizations in sectors such as telecommunications, manufacturing, and critical infrastructure that rely on these devices for network connectivity or control systems are particularly vulnerable. The absence of vendor patches increases exposure time, necessitating immediate defensive measures. Additionally, public exploit disclosure raises the probability of opportunistic attacks targeting European networks.

Since no official patch or vendor response is available, European organizations should implement compensating controls immediately. These include restricting network access to the affected device's management interface via firewall rules or VPNs, limiting exposure to trusted IP addresses only. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures or anomaly detection capable of identifying command injection attempts targeting /goform/formPdbUpConfig. Conduct thorough input validation and filtering on any proxy or gateway devices if feasible. Regularly monitor device logs and network traffic for unusual commands or connections. Segment the network to isolate the vulnerable device from critical assets and sensitive data. Consider replacing or upgrading devices if possible to models without this vulnerability. Maintain an incident response plan to quickly address any detected exploitation attempts. Finally, stay alert for vendor updates or community patches and apply them promptly once available.