CVE-2026-11448
Deferred Deferred - Pending Action

Command Injection in GL.iNet GL-MT3000

Publication date: 2026-06-07

Last updated on: 2026-06-08

Assigner: VulDB

Description
A weakness has been identified in GL.iNet GL-MT3000 up to 4.4.5. The affected element is the function realpath of the file /rpc of the component Minidlna Service. This manipulation of the argument kube. set causes command injection. The attack is possible to be carried out remotely. Upgrading to version 4.7 is sufficient to fix this issue. It is recommended to upgrade the affected component. The vendor confirms: "Starting from version 4.7, SDK has added global protection to intercept malicious injection".

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-07
Last Modified
2026-06-08
Generated
2026-06-28
AI Q&A
2026-06-07
EPSS Evaluated
2026-06-26
NVD
CVE-2026-11448
EUVD
EUVD-2026-34979

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gl.inet gl-mt3000 to 4.4.5 (inc)
gl.inet gl-mt3000 From 4.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11448 is an authenticated command injection vulnerability in the GL.iNet GL-MT3000 router running firmware up to version 4.4.5. The flaw exists in the minidlna service, specifically in the realpath function of the /rpc file. An attacker with admin credentials can exploit this vulnerability by sending specially crafted requests to the /rpc endpoint, manipulating the uci.set argument to inject shell commands.

The attack works by modifying the minidlna configuration parameter db_dir with malicious shell metacharacters. Because of missing input validation, lack of shell quoting, and overly permissive access control lists (ACLs), the injected commands are executed with root privileges when the minidlna service restarts and processes the configuration.

This vulnerability allows an attacker to execute arbitrary commands on the device remotely after authenticating, potentially compromising the entire system.

Impact Analysis

This vulnerability can have serious impacts including unauthorized execution of arbitrary commands with root privileges on the affected device.

  • Attackers can read sensitive files stored on the device.
  • They can modify system configurations, potentially disrupting device functionality or creating persistent backdoors.
  • The device can be fully compromised, allowing attackers to control it remotely.
  • This could lead to further attacks on the network or connected systems.
Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the /rpc endpoint of the GL.iNet GL-MT3000 device, especially those attempting to use the uci.set method to modify the minidlna configuration.

Commands to detect exploitation attempts could include inspecting web server logs for POST requests to /rpc with payloads containing shell metacharacters such as semicolons (;), pipes (|), or command substitutions.

For example, on the device or network logs, you can use commands like:

  • grep -i 'POST /rpc' /var/log/nginx/access.log | grep -E ';|\||`'
  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -E 'POST /rpc|uci.set'

Additionally, checking for unexpected changes in the minidlna configuration files or unusual restarts of the minidlna service may indicate exploitation.

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade the GL.iNet GL-MT3000 firmware to version 4.7 or later, as this version includes global protection to intercept malicious injection attempts.

Until the upgrade can be applied, restrict access to the device's web interface to trusted users only, as exploitation requires authenticated access.

Additionally, review and tighten the rpcd ACL configuration to limit permissions for uci.set and other potentially dangerous operations.

Monitoring for suspicious activity and disabling or restricting the minidlna service if it is not required can also reduce risk.

Compliance Impact

This vulnerability allows an authenticated attacker to execute arbitrary commands with root privileges on the affected device, potentially leading to unauthorized access, modification, or deletion of sensitive data.

Such unauthorized access and control over system configurations and data could result in violations of data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information.

Therefore, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of data, impacting compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11448. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart