CVE-2026-11406
Command Injection in GL.iNet MT3000 OpenVPN Client
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gl.inet | mt3000 | to 4.4.5 (inc) |
| gl.inet | mt3000 | 4.9.0_beta3-1012-0513-1778656146 |
| openvpn | client | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-11406 is a command injection vulnerability in the OpenVPN client import functionality of the GL.iNet MT3000 device running firmware up to version 4.4.5. It occurs in the ovpnclient.sh script, which processes imported OpenVPN configuration files. An attacker with administrative credentials can upload a malicious .ovpn configuration file that bypasses insufficient validation and filtering. This allows the attacker to inject harmful OpenVPN directives that can lead to arbitrary file creation or execution of commands with root privileges.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including remote code execution as root on the affected device. An attacker who exploits this flaw can execute arbitrary commands with the highest privileges, potentially leading to full device compromise. This can result in unauthorized control over the device, data theft, disruption of network services, or use of the device as a foothold for further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious or specially crafted OpenVPN configuration files (.ovpn) uploaded via the OpenVPN client import functionality on GL.iNet MT3000 devices running firmware up to version 4.4.5.
Since the vulnerability involves command injection through the ovpnclient.sh script processing these configuration files, detection involves inspecting uploaded .ovpn files for suspicious directives such as writepid, up, down, tls-verify, and client-connect that are not properly filtered.
You can also monitor the /upload endpoint activity for unauthorized or suspicious uploads of .ovpn files.
Suggested commands to detect suspicious files or activity include:
- Check for recently uploaded .ovpn files in the temporary directory used by the OpenVPN client import workflow, for example: `ls -l /tmp/` or the specific upload directory.
- Search for suspicious directives in .ovpn files: `grep -E 'writepid|up|down|tls-verify|client-connect' /path/to/uploaded/configs/*.ovpn`
- Monitor logs for OpenVPN client import activity or errors related to ovpnclient.sh script execution.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the GL.iNet MT3000 device firmware to version 4.9.0_beta3-1012-0513-1778656146 or later, as this version includes checks on OpenVPN configuration files to prevent command injection attacks.
Until the upgrade can be applied, restrict access to the OpenVPN client import functionality to trusted administrators only, and avoid uploading untrusted or unknown .ovpn configuration files.
Additionally, monitor and audit uploaded configuration files for suspicious directives and remove any that could be used for command injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not contain information regarding the impact of CVE-2026-11406 on compliance with common standards and regulations such as GDPR or HIPAA.