Overview
CVE-2026-52186 is a critical-severity SQL injection vulnerability affecting UTT nv518G routers running firmware version nv518GV3v3.2.7-210919-161313. The vulnerability carries a CVSS v3 base score of 9.8 (Critical) and allows a remote, unauthenticated attacker to execute arbitrary code on the affected device.
The flaw resides in the gohead web server component, specifically within the sub_463bbc function, which fails to properly sanitize user-supplied input before incorporating it into SQL queries executed on the underlying system.
Technical Details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-52186 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Affected Component | gohead/sub_463bbc |
| Vulnerability Type | SQL Injection → Remote Code Execution |
How the Vulnerability Works
The UTT nv518G router's embedded web management interface is powered by the gohead HTTP server. The sub_463bbc function within this server handles certain web requests but fails to validate or sanitize input parameters before passing them to internal SQL operations.
An attacker can craft a malicious HTTP request containing SQL metacharacters or injection payloads that break out of the intended SQL context. Because the web server process runs with elevated privileges on the embedded Linux environment, successful exploitation can result in arbitrary OS command execution — giving the attacker full control over the device.
Affected Products
- Device: UTT nv518G
- Firmware:
nv518GV3v3.2.7-210919-161313 - Other firmware versions: May be affected; confirm with vendor advisory
UTT (Universal Telecommunication Technologies) produces networking equipment including routers, switches, and VPN gateways commonly deployed in small-to-medium business environments in Asia-Pacific regions.
Risk Assessment
With a CVSS score of 9.8, this vulnerability represents an extremely high risk:
- No authentication required — any network-reachable attacker can exploit this
- No user interaction — exploitation is fully automated
- Low complexity — standard SQL injection techniques apply
- Full device compromise — successful exploitation gives attacker root-equivalent access
- Persistent access — attackers can install backdoors, modify routing tables, or pivot to internal networks
Routers exposed to the internet with their management interface accessible are at the highest risk. Even devices not directly internet-facing may be vulnerable if an attacker has access to the local network segment.
Mitigation
As of the publication date, no official patch has been confirmed. Recommended mitigations include:
- Restrict management interface access — firewall the router's web admin port to trusted IP ranges only; never expose it to the public internet
- Disable remote management — if remote administration is not required, disable it entirely
- Network segmentation — place routers in isolated management VLANs with strict ACLs
- Monitor for exploitation — watch for anomalous HTTP requests to the router management port containing SQL metacharacters (
',",--,;,UNION,SELECT) - Check for firmware updates — contact UTT support for patches targeting this CVE and apply them immediately upon release
- Consider replacement — for devices no longer receiving vendor support, consider replacing with actively maintained hardware
Indicators of Compromise
Watch for the following in router access logs (if logging is enabled):
- HTTP requests to the management interface containing SQL keywords (
UNION,SELECT,INSERT,DROP,EXEC) - Unusual outbound connections from the router to external IPs
- Unexpected configuration changes or new administrator accounts
- Unexplained reboots or firmware reflash events
References
- NVD Entry — CVE-2026-52186
- Published: 2026-07-01