CVE-2026-11447
Deferred Deferred - Pending Action

Command Injection in GL.iNet GL-MT3000

Publication date: 2026-06-07

Last updated on: 2026-06-07

Assigner: VulDB

Description
A security flaw has been discovered in GL.iNet GL-MT3000 up to 4.4.5. Impacted is the function iwinfo_backend of the file iwinfo.so of the component MTK Backend. The manipulation of the argument device results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 4.7 is recommended to address this issue. Upgrading the affected component is recommended. The vendor confirms: "Starting from version 4.7, SDK has added global protection to intercept malicious injection".

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-07
Last Modified
2026-06-07
Generated
2026-06-28
AI Q&A
2026-06-07
EPSS Evaluated
2026-06-26
NVD
CVE-2026-11447
EUVD
EUVD-2026-34978

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gl.inet gl-mt3000 to 4.4.5 (inc)
gl.inet gl-mt3000 4.7

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11447 is an authenticated command injection vulnerability found in the GL-iNet GL-MT3000 router running firmware version 4.4.5. The flaw exists in the iwinfo.scan ubus RPC method, specifically in the iwinfo.so plugin's handling of the device parameter. This parameter undergoes only basic type validation without proper sanitization, allowing attackers to inject arbitrary commands.

The vulnerability arises because the device parameter is processed through multiple layers, including the iwinfo_backend() function in libiwinfo.so, which uses substring matching for backend selection but allows unfiltered input to reach a sprintf() and system() call in the MTK backend's scan function. This mismatch enables attackers to craft device strings containing shell metacharacters (such as semicolons, pipes, or command substitutions) to execute arbitrary commands.

Exploitation requires authentication and involves sending a specially crafted ubus call to the iwinfo.scan method with a malicious device parameter, resulting in root-level command execution on the device.

Impact Analysis

This vulnerability can have serious impacts as it allows an authenticated attacker to execute arbitrary commands with root privileges on the affected GL-iNet GL-MT3000 router. This could lead to full compromise of the device, including unauthorized access, data theft, device manipulation, or using the device as a foothold for further attacks within a network.

Because the attack can be executed remotely, it increases the risk of exploitation by attackers who gain authentication, potentially leading to loss of confidentiality, integrity, and availability of the device and connected systems.

Detection Guidance

This vulnerability can be detected by attempting to invoke the iwinfo.scan ubus RPC method with a crafted device parameter containing shell metacharacters to test for command injection.

Since exploitation requires authentication, detection involves sending an authenticated ubus call to the iwinfo.scan method with a malicious device string and observing if arbitrary commands are executed.

  • Use ubus command line tool to call iwinfo.scan with a crafted device parameter, for example: ubus call iwinfo scan '{"device":"eth0;id"}'
  • Check for unexpected command execution results or system behavior indicating command injection.
Mitigation Strategies

The recommended immediate mitigation is to upgrade the GL.iNet GL-MT3000 firmware to version 4.7 or later, where global protection against malicious injection has been added.

Until upgrading, restrict access to the ubus RPC interface and ensure only trusted authenticated users can interact with the iwinfo.scan method to reduce the risk of exploitation.

Compliance Impact

The vulnerability allows authenticated remote attackers to execute arbitrary commands with root privileges on the affected GL-iNet GL-MT3000 device. This could lead to unauthorized access, data manipulation, or data exfiltration.

Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and ensure system integrity.

However, the provided information does not explicitly describe the direct impact on compliance frameworks or mention specific regulatory consequences.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart