CVE-2026-11447
Command Injection in GL.iNet GL-MT3000
Publication date: 2026-06-07
Last updated on: 2026-06-07
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gl.inet | gl-mt3000 | to 4.4.5 (inc) |
| gl.inet | gl-mt3000 | 4.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-11447 is an authenticated command injection vulnerability found in the GL-iNet GL-MT3000 router running firmware version 4.4.5. The flaw exists in the iwinfo.scan ubus RPC method, specifically in the iwinfo.so plugin's handling of the device parameter. This parameter undergoes only basic type validation without proper sanitization, allowing attackers to inject arbitrary commands.
The vulnerability arises because the device parameter is processed through multiple layers, including the iwinfo_backend() function in libiwinfo.so, which uses substring matching for backend selection but allows unfiltered input to reach a sprintf() and system() call in the MTK backend's scan function. This mismatch enables attackers to craft device strings containing shell metacharacters (such as semicolons, pipes, or command substitutions) to execute arbitrary commands.
Exploitation requires authentication and involves sending a specially crafted ubus call to the iwinfo.scan method with a malicious device parameter, resulting in root-level command execution on the device.
How can this vulnerability impact me? :
This vulnerability can have serious impacts as it allows an authenticated attacker to execute arbitrary commands with root privileges on the affected GL-iNet GL-MT3000 router. This could lead to full compromise of the device, including unauthorized access, data theft, device manipulation, or using the device as a foothold for further attacks within a network.
Because the attack can be executed remotely, it increases the risk of exploitation by attackers who gain authentication, potentially leading to loss of confidentiality, integrity, and availability of the device and connected systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to invoke the iwinfo.scan ubus RPC method with a crafted device parameter containing shell metacharacters to test for command injection.
Since exploitation requires authentication, detection involves sending an authenticated ubus call to the iwinfo.scan method with a malicious device string and observing if arbitrary commands are executed.
- Use ubus command line tool to call iwinfo.scan with a crafted device parameter, for example: ubus call iwinfo scan '{"device":"eth0;id"}'
- Check for unexpected command execution results or system behavior indicating command injection.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to upgrade the GL.iNet GL-MT3000 firmware to version 4.7 or later, where global protection against malicious injection has been added.
Until upgrading, restrict access to the ubus RPC interface and ensure only trusted authenticated users can interact with the iwinfo.scan method to reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated remote attackers to execute arbitrary commands with root privileges on the affected GL-iNet GL-MT3000 device. This could lead to unauthorized access, data manipulation, or data exfiltration.
Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and ensure system integrity.
However, the provided information does not explicitly describe the direct impact on compliance frameworks or mention specific regulatory consequences.