CVE-2026-26795
Command Injection in GL-iNet GL-AR300M16 System Log Module
Publication date: 2026-03-12
Last updated on: 2026-03-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gl-inet | ar300m16_firmware | 4.3.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-26795 affects the GL.iNet GL-AR300M16 router, specifically firmware version 4.3.11. It is a command injection vulnerability found in the function M.get_system_log within the logread.lua script.
The issue arises because the function improperly handles the module parameter by directly inserting user-supplied input into shell commands without proper sanitization or validation. This allows an attacker to inject arbitrary shell commands.
An attacker can exploit this by sending a crafted HTTP POST request to the routerβs JSON-RPC interface, including malicious commands in the module parameter. These commands are executed with root privileges on the device.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary commands on the affected router with root privileges.
As a result, attackers can take full control of the device, potentially leading to unauthorized access, data theft, device manipulation, or using the device as a foothold for further attacks within a network.
For example, an attacker could create or modify files on the device, disrupt normal operations, or install malicious software.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the router's JSON-RPC interface at the /rpc endpoint, especially those containing the get_system_log method with a crafted module parameter."}, {'type': 'paragraph', 'content': "An example of a malicious payload to look for is a JSON request where the module parameter includes shell command injection patterns, such as embedded shell commands separated by characters like ';' or '#'."}, {'type': 'paragraph', 'content': "To detect exploitation attempts, you can capture and inspect network traffic targeting the router's IP address on HTTP port 80 or 443, filtering for POST requests to /rpc containing suspicious JSON payloads."}, {'type': 'paragraph', 'content': 'Additionally, on the device itself, you can check for unexpected files or changes, such as the presence of files like /www/pwn.txt, which may indicate successful command injection.'}, {'type': 'list_item', 'content': 'Use network packet capture tools (e.g., tcpdump or Wireshark) to filter HTTP POST requests to /rpc.'}, {'type': 'list_item', 'content': "Example tcpdump command: tcpdump -i any -A 'tcp port 80 and (((ip dst <router_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354))' to capture POST requests."}, {'type': 'list_item', 'content': 'Search router logs for unexpected files or command execution traces, e.g., ls -l /www/pwn.txt.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the router's JSON-RPC interface to trusted users only, such as limiting access to the local network or specific IP addresses."}, {'type': 'paragraph', 'content': 'Ensure that administrative authentication tokens or credentials are kept secure and not exposed to untrusted networks.'}, {'type': 'paragraph', 'content': 'If possible, disable or restrict the vulnerable get_system_log function or the entire JSON-RPC interface until a patch or firmware update is available.'}, {'type': 'paragraph', 'content': 'Monitor the device for signs of compromise, such as unexpected files or processes, and consider rebooting or restoring the device to a known safe state.'}, {'type': 'paragraph', 'content': 'Check for and apply any available firmware updates from the vendor that address this vulnerability.'}] [1]