CVE-2026-11406
Deferred Deferred - Pending Action
Command Injection in GL.iNet MT3000 OpenVPN Client

Publication date: 2026-06-06

Last updated on: 2026-06-08

Assigner: VulDB

Description
A vulnerability was determined in GL.iNet MT3000 up to 4.4.5. This vulnerability affects unknown code of the file ovpnclient.sh of the component OpenVPN Client Import Workflow. This manipulation causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 4.9.0_beta3-1012-0513-1778656146 is able to resolve this issue. You should upgrade the affected component. The vendor confirms: "This issue has been addressed by implementing malicious checks on OpenVPN configuration files to prevent command injection attacks carried through malicious configuration files."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-06
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-06
EPSS Evaluated
2026-06-25
NVD
CVE-2026-11406
EUVD
EUVD-2026-34963
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
gl.inet mt3000 to 4.4.5 (inc)
gl.inet mt3000 4.9.0_beta3-1012-0513-1778656146
openvpn client *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11406 is a command injection vulnerability in the OpenVPN client import functionality of the GL.iNet MT3000 device running firmware up to version 4.4.5. It occurs in the ovpnclient.sh script, which processes imported OpenVPN configuration files. An attacker with administrative credentials can upload a malicious .ovpn configuration file that bypasses insufficient validation and filtering. This allows the attacker to inject harmful OpenVPN directives that can lead to arbitrary file creation or execution of commands with root privileges.

Impact Analysis

This vulnerability can have serious impacts including remote code execution as root on the affected device. An attacker who exploits this flaw can execute arbitrary commands with the highest privileges, potentially leading to full device compromise. This can result in unauthorized control over the device, data theft, disruption of network services, or use of the device as a foothold for further attacks.

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious or specially crafted OpenVPN configuration files (.ovpn) uploaded via the OpenVPN client import functionality on GL.iNet MT3000 devices running firmware up to version 4.4.5.

Since the vulnerability involves command injection through the ovpnclient.sh script processing these configuration files, detection involves inspecting uploaded .ovpn files for suspicious directives such as writepid, up, down, tls-verify, and client-connect that are not properly filtered.

You can also monitor the /upload endpoint activity for unauthorized or suspicious uploads of .ovpn files.

Suggested commands to detect suspicious files or activity include:

  • Check for recently uploaded .ovpn files in the temporary directory used by the OpenVPN client import workflow, for example: `ls -l /tmp/` or the specific upload directory.
  • Search for suspicious directives in .ovpn files: `grep -E 'writepid|up|down|tls-verify|client-connect' /path/to/uploaded/configs/*.ovpn`
  • Monitor logs for OpenVPN client import activity or errors related to ovpnclient.sh script execution.
Mitigation Strategies

The primary mitigation step is to upgrade the GL.iNet MT3000 device firmware to version 4.9.0_beta3-1012-0513-1778656146 or later, as this version includes checks on OpenVPN configuration files to prevent command injection attacks.

Until the upgrade can be applied, restrict access to the OpenVPN client import functionality to trusted administrators only, and avoid uploading untrusted or unknown .ovpn configuration files.

Additionally, monitor and audit uploaded configuration files for suspicious directives and remove any that could be used for command injection.

Compliance Impact

The provided context and resources do not contain information regarding the impact of CVE-2026-11406 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11406. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart