CVE-2026-11448
Command Injection in GL.iNet GL-MT3000
Publication date: 2026-06-07
Last updated on: 2026-06-07
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gl.inet | gl-mt3000 | to 4.4.5 (inc) |
| gl.inet | gl-mt3000 | From 4.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-11448 is an authenticated command injection vulnerability in the GL.iNet GL-MT3000 router running firmware up to version 4.4.5. The flaw exists in the minidlna service, specifically in the realpath function of the /rpc file. An attacker with admin credentials can exploit this vulnerability by sending specially crafted requests to the /rpc endpoint, manipulating the uci.set argument to inject shell commands.
The attack works by modifying the minidlna configuration parameter db_dir with malicious shell metacharacters. Because of missing input validation, lack of shell quoting, and overly permissive access control lists (ACLs), the injected commands are executed with root privileges when the minidlna service restarts and processes the configuration.
This vulnerability allows an attacker to execute arbitrary commands on the device remotely after authenticating, potentially compromising the entire system.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized execution of arbitrary commands with root privileges on the affected device.
- Attackers can read sensitive files stored on the device.
- They can modify system configurations, potentially disrupting device functionality or creating persistent backdoors.
- The device can be fully compromised, allowing attackers to control it remotely.
- This could lead to further attacks on the network or connected systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the /rpc endpoint of the GL.iNet GL-MT3000 device, especially those attempting to use the uci.set method to modify the minidlna configuration.
Commands to detect exploitation attempts could include inspecting web server logs for POST requests to /rpc with payloads containing shell metacharacters such as semicolons (;), pipes (|), or command substitutions.
For example, on the device or network logs, you can use commands like:
- grep -i 'POST /rpc' /var/log/nginx/access.log | grep -E ';|\||`'
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -E 'POST /rpc|uci.set'
Additionally, checking for unexpected changes in the minidlna configuration files or unusual restarts of the minidlna service may indicate exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade the GL.iNet GL-MT3000 firmware to version 4.7 or later, as this version includes global protection to intercept malicious injection attempts.
Until the upgrade can be applied, restrict access to the device's web interface to trusted users only, as exploitation requires authenticated access.
Additionally, review and tighten the rpcd ACL configuration to limit permissions for uci.set and other potentially dangerous operations.
Monitoring for suspicious activity and disabling or restricting the minidlna service if it is not required can also reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to execute arbitrary commands with root privileges on the affected device, potentially leading to unauthorized access, modification, or deletion of sensitive data.
Such unauthorized access and control over system configurations and data could result in violations of data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information.
Therefore, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of data, impacting compliance with these regulations.