Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Command Injection. The Network Time Protocol (NTP) configuration interface does not properly sanitize user-supplied input. An authenticated user with permission to configure NTP settings can inject arbitrary system commands through crafted input fields. These commands are executed with elevated privileges, leading to potential full system compromise.
AnalysisAI
Command injection in U-SPEED AC1200 Gigabit Wi-Fi Router (Model T18-21K) V1.0 allows authenticated administrators to execute arbitrary system commands with elevated privileges through the Network Time Protocol (NTP) configuration interface. The vulnerability stems from insufficient input sanitization in NTP settings fields, enabling full system compromise. CVSS score of 7.2 reflects high impact across confidentiality, integrity, and availability. Public proof-of-concept code exists via GitHub repository (N0tMilk/vulnerability-research), though no active exploitation has been confirmed via CISA KEV at time of analysis. EPSS data not available for risk probability assessment.
Technical ContextAI
This vulnerability affects the U-SPEED AC1200 Gigabit Wi-Fi Router Model T18-21K firmware version 1.0, specifically in the web-based administration interface's NTP configuration module. The flaw is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), commonly known as command injection. The NTP settings interface fails to sanitize or validate user-supplied input before passing it to system command execution functions. When administrators configure time server addresses or related NTP parameters, the router's firmware directly incorporates this input into shell commands without proper escaping or parameterization. The commands execute in the context of the router's operating system with root or administrative privileges, typical of embedded Linux-based router firmware. This enables injection of shell metacharacters, command separators (such as semicolons, pipes, or backticks), and arbitrary command sequences that the underlying OS interprets and executes.
RemediationAI
No vendor-released patch or firmware update has been identified through available references at time of analysis. Without official vendor remediation, organizations should implement compensating controls with the following trade-offs: (1) Disable remote administrative access to the router's web interface entirely, restricting management to local LAN connections only - this prevents network-based exploitation but complicates remote device administration; (2) Implement strict firewall rules blocking external access to the router's management ports (typically TCP 80/443/8080) while allowing only specific trusted IP addresses on the internal network - reduces attack surface but requires maintained allowlists; (3) Change default administrative credentials immediately to complex passwords (minimum 16 characters, alphanumeric with symbols) and enable multi-factor authentication if available - increases attacker effort but does not eliminate the underlying vulnerability; (4) Monitor router system logs for suspicious NTP configuration changes or failed authentication attempts - provides detection capability but no prevention. Organizations with high-security requirements should consider replacing affected devices with alternative router models from vendors demonstrating active security patch support. Consult the proof-of-concept repository (https://github.com/N0tMilk/vulnerability-research/tree/main/IoT/CVE-2026-36741) for technical details that may inform additional detection rules. Check NVD listing (https://nvd.nist.gov/vuln/detail/CVE-2026-36741) periodically for vendor advisory updates.
More in T18 21K Firmware
View allSame weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30044
GHSA-pvcc-fj7g-vm23