CVE-2026-11449
Command Injection in GL.iNet GL-MT3000
Publication date: 2026-06-07
Last updated on: 2026-06-07
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gl.inet | gl-mt3000 | 4.4.5 |
| gl.inet | gl-mt3000 | 4.8.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-11449 is an authenticated remote code execution vulnerability affecting GL.iNet GL-MT3000 devices running firmware version 4.4.5. It exists in the LuCI JSON-RPC interface, specifically in the rpc_sys function of the /cgi-bin/luci/rpc component. The vulnerability arises due to improper access controls and lack of input sanitization, allowing an attacker with root credentials to execute arbitrary commands on the device.
- The nginx server exposes the legacy LuCI CGI path without proper restrictions.
- The authentication endpoint allows login without requiring a prior session.
- The rpc_sys() function exposes all luci.sys module functions without a whitelist.
- The luci.sys.exec function directly executes commands without input sanitization.
- An attacker can authenticate with root credentials, obtain a session ID, and send commands that execute as root on the device.
How can this vulnerability impact me? :
This vulnerability allows an attacker who knows the root password to remotely execute arbitrary commands on the affected device with root privileges. This can lead to full compromise of the device, including unauthorized access, data theft, manipulation of device settings, installation of malicious software, or disruption of device functionality.
- Remote code execution as root user.
- Potential unauthorized access to sensitive data stored on the device.
- Ability to alter device configuration or firmware.
- Possible denial of service or device takeover.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to authenticate and execute commands via the LuCI JSON-RPC interface on the affected GL.iNet GL-MT3000 device running firmware version 4.4.5.
- Use a POST request to /cgi-bin/luci/rpc/auth with root credentials to obtain a session ID.
- Send a POST request to /cgi-bin/luci/rpc/sys?auth=<sid> with the method "exec" and arbitrary command parameters to test if command execution is possible.
- A successful command execution returning output in the JSON-RPC response indicates the presence of the vulnerability.
A proof-of-concept Python script exists that automates this process by authenticating and executing arbitrary commands on the device.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade the GL.iNet GL-MT3000 device firmware to version 4.8.1 or later.
Firmware versions after 4.7.13 do not install the LuCI component by default, which effectively prevents exploitation of this vulnerability.
Upgrading the affected component removes the vulnerable LuCI JSON-RPC interface and fixes the command injection issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.