Executive Summary

The vulnerability CVE-2026-26795 affects the GL.iNet GL-AR300M16 router, specifically firmware version 4.3.11. It is a command injection vulnerability found in the function M.get_system_log within the logread.lua script.

The issue arises because the function improperly handles the module parameter by directly inserting user-supplied input into shell commands without proper sanitization or validation. This allows an attacker to inject arbitrary shell commands.

An attacker can exploit this by sending a crafted HTTP POST request to the router’s JSON-RPC interface, including malicious commands in the module parameter. These commands are executed with root privileges on the device.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary commands on the affected router with root privileges.

As a result, attackers can take full control of the device, potentially leading to unauthorized access, data theft, device manipulation, or using the device as a foothold for further attacks within a network.

For example, an attacker could create or modify files on the device, disrupt normal operations, or install malicious software.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the router's JSON-RPC interface at the /rpc endpoint, especially those containing the get_system_log method with a crafted module parameter."}, {'type': 'paragraph', 'content': "An example of a malicious payload to look for is a JSON request where the module parameter includes shell command injection patterns, such as embedded shell commands separated by characters like ';' or '#'."}, {'type': 'paragraph', 'content': "To detect exploitation attempts, you can capture and inspect network traffic targeting the router's IP address on HTTP port 80 or 443, filtering for POST requests to /rpc containing suspicious JSON payloads."}, {'type': 'paragraph', 'content': 'Additionally, on the device itself, you can check for unexpected files or changes, such as the presence of files like /www/pwn.txt, which may indicate successful command injection.'}, {'type': 'list_item', 'content': 'Use network packet capture tools (e.g., tcpdump or Wireshark) to filter HTTP POST requests to /rpc.'}, {'type': 'list_item', 'content': "Example tcpdump command: tcpdump -i any -A 'tcp port 80 and (((ip dst <router_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354))' to capture POST requests."}, {'type': 'list_item', 'content': 'Search router logs for unexpected files or command execution traces, e.g., ls -l /www/pwn.txt.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the router's JSON-RPC interface to trusted users only, such as limiting access to the local network or specific IP addresses."}, {'type': 'paragraph', 'content': 'Ensure that administrative authentication tokens or credentials are kept secure and not exposed to untrusted networks.'}, {'type': 'paragraph', 'content': 'If possible, disable or restrict the vulnerable get_system_log function or the entire JSON-RPC interface until a patch or firmware update is available.'}, {'type': 'paragraph', 'content': 'Monitor the device for signs of compromise, such as unexpected files or processes, and consider rebooting or restoring the device to a known safe state.'}, {'type': 'paragraph', 'content': 'Check for and apply any available firmware updates from the vendor that address this vulnerability.'}] [1]

Useful 0 Not Useful 0