Executive Summary

CVE-2026-36356 is an unauthenticated OS command injection vulnerability found in the MeiG Smart FORGE_SLT711 4G LTE CPE devices that use the GoAhead web server.

The flaw exists in the HTTP endpoint `/action/SetRemoteAccessCfg`, which does not require authentication and allows attackers to execute arbitrary commands as root.

This happens because the GoAhead server configuration is missing an authentication route entry for this endpoint, and the server uses an unsafe `sprintf()` followed by a `system()` call that interpolates user-controlled JSON input directly into a shell command without sanitization.

Attackers can exploit this by sending a crafted POST request with a malicious `password` field in JSON format, enabling them to execute commands with root privileges.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to gain persistent root access to the affected device without any authentication.

By exploiting the command injection, attackers can execute arbitrary commands on the device, potentially installing backdoors such as a telnet backdoor for continued access.

This can lead to full compromise of the device, unauthorized control, data theft, disruption of services, or use of the device as part of a larger attack.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending crafted POST requests to the /action/SetRemoteAccessCfg endpoint on the affected MeiG Smart FORGE_SLT711 devices and observing if arbitrary commands can be executed without authentication.

A practical detection method involves using the provided Python exploit script poc_rce.py, which automates sending malicious JSON payloads to test for command injection.

Alternatively, you can manually test by sending a POST request with a JSON body containing a malicious 'password' field to the endpoint, for example using curl:

• curl -X POST http://<target-ip>/action/SetRemoteAccessCfg -H "Content-Type: application/json" -d '{"password":";id;"}'

If the device executes the injected command (like 'id'), it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable /action/SetRemoteAccessCfg endpoint by implementing network-level controls such as firewall rules to block unauthorized access.

Disabling or isolating the affected device from untrusted networks until a patch or firmware update is applied is recommended.

Monitor network traffic for suspicious POST requests to the endpoint and look for signs of exploitation attempts.

Contact the device vendor for firmware updates or patches that address the unauthenticated command injection vulnerability.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated remote attackers to execute arbitrary OS commands as root on affected devices, potentially leading to unauthorized access and control over sensitive data.

Such unauthorized access and potential data breaches could result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of data, leading to violations of these regulatory requirements.

Useful 0 Not Useful 0