Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-26792 is a command injection vulnerability found in the GL-iNet GL-AR300M16 router running firmware version 4.3.11. The flaw exists in the set_upgrade function, which processes several parameters such as modem_url, target_version, current_version, firmware_upload, hash_type, hash_value, and upgrade_type without proper input validation or sanitization.'}, {'type': 'paragraph', 'content': 'An attacker can inject malicious shell commands into these parameters, which are then executed by the system with root privileges. This happens because the parameters are concatenated into a command string and executed via a shell call, allowing arbitrary command execution on the device.'}, {'type': 'paragraph', 'content': "Exploitation involves sending a crafted HTTP POST request with a JSON-RPC payload to the router's RPC endpoint, including injected shell commands in parameters like modem_url. Despite some vendor mitigation attempts, the vulnerability remains exploitable."}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to full system compromise of the affected router. An attacker who successfully exploits it can execute arbitrary commands with root privileges, which may result in unauthorized access to the device.

Potential impacts include data theft, installation of persistent backdoors, disruption of device functionality, and loss of control over the network traffic passing through the router.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unusual HTTP POST requests to the router's RPC endpoint, such as requests to URLs like http://192.168.2.10/rpc containing JSON-RPC payloads with suspicious parameters in modem_url, target_version, current_version, firmware_upload, hash_type, hash_value, or upgrade_type."}, {'type': 'paragraph', 'content': 'One detection method is to check for the presence of files created by command injection attempts, for example, the file /www/pwntest4.txt which may be created by injected commands like `echo 123 > /www/pwntest4.txt`.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Inspect HTTP logs for POST requests to /rpc with suspicious JSON payloads containing shell metacharacters.'}, {'type': 'list_item', 'content': 'Run `ls -l /www/pwntest4.txt` to check for the presence of test files created by exploits.'}, {'type': 'list_item', 'content': 'Use network monitoring tools to capture and analyze traffic for crafted RPC requests targeting the vulnerable parameters.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the router's RPC endpoint to trusted users only, such as limiting access to the local network or specific IP addresses."}, {'type': 'paragraph', 'content': 'Ensure that administrative authentication tokens or cookies are kept secure and not exposed to untrusted users.'}, {'type': 'paragraph', 'content': 'Monitor and block suspicious HTTP POST requests that attempt to exploit the vulnerable parameters.'}, {'type': 'paragraph', 'content': 'If possible, update or patch the device firmware to a version where the vulnerability is fixed or apply vendor-provided mitigations.'}, {'type': 'paragraph', 'content': 'As a temporary workaround, disable or restrict the set_upgrade function or the RPC interface if it is not required.'}] [1]

Useful 0 Not Useful 0