CVE-2026-11451
Received Received - Intake
Command Injection in GL.iNet GL-MT3000

Publication date: 2026-06-07

Last updated on: 2026-06-07

Assigner: VulDB

Description
A flaw has been found in GL.iNet GL-MT3000 4.4.5. This impacts the function snprintf of the file /cgi-bin/glc of the component FTP Protocol Handler. Executing a manipulation of the argument media_dir can lead to command injection. It is possible to launch the attack remotely. Upgrading to version 4.8.1 will fix this issue. You should upgrade the affected component. The vendor explains: "In version 4.8.1, before writing media_dir to the FTP configuration command, the code escapes single quotes using escape_single_quote(). The payloads in the reportβ€”which rely on closing a single quote, appending commands with a semicolon, and commenting out the tail with #β€”cannot escape execution under the current code path. We also verified this on a GL‑MT3000 device running firmware version 4.8.1 using similar payloads calling the /NAS_API_SET_PROTO_CONFIG interface. Although the interface returned success, the marker file intended to prove command execution was not created; the payload was written into /etc/vsftpd.conf only as ordinary configuration content and did not trigger any shell command execution. Therefore, with the current firmware version and default runtime environment, we could not reproduce the claimed β€œunauthorized command injection in set_proto_config”."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-07
Last Modified
2026-06-07
Generated
2026-06-07
AI Q&A
2026-06-07
EPSS Evaluated
N/A
NVD
CVE-2026-11451
EUVD
EUVD-2026-34982
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
gl.inet gl-mt3000 to 4.4.5 (inc)
gl.inet gl-mt3000 to 4.8.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-11451 is an unauthenticated command injection vulnerability affecting GL.iNet MT3000 devices running firmware version 4.4.5.

The flaw exists in the /cgi-bin/glc endpoint, which processes JSON requests without authentication checks or input validation.

Specifically, the vulnerability is triggered through the nas-web.so plugin that forwards the set_proto_config request to the gl_nas_sys root daemon.

The FTP protocol handler in gl_nas_sys extracts the media_dir parameter from the JSON payload and passes it unsanitized into system() calls, allowing attackers to inject shell metacharacters by including a single quote in the media_dir value.

This enables arbitrary command execution as the root user by sending a crafted POST request to /cgi-bin/glc with a specially formatted media_dir parameter containing shell commands.

The root cause involves three components: the unauthenticated /www/cgi-bin/glc endpoint, the transparent JSON proxy in nas-web.so, and unsafe system() calls in gl_nas_sys.


How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary commands on the affected device as the root user without any authentication.

Such command injection can lead to full compromise of the device, including unauthorized access, data theft, device manipulation, or using the device as a foothold for further attacks within a network.

Because the attack can be launched remotely via a crafted POST request, it poses a significant risk to the security and integrity of the affected system.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending a crafted POST request to the /cgi-bin/glc endpoint with a specially formatted media_dir parameter containing shell commands. Monitoring for such suspicious POST requests targeting /cgi-bin/glc with unusual or shell metacharacters in the media_dir parameter can help identify exploitation attempts.

A possible detection command using curl to test the vulnerability could be:

  • curl -X POST http://<target-ip>/cgi-bin/glc -d '{"media_dir":"test';id;#"}' -H 'Content-Type: application/json'

If the system executes the injected command (e.g., id), it indicates the presence of the vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the affected GL.iNet GL-MT3000 device firmware to version 4.8.1 or later, where the vulnerability has been fixed by escaping single quotes in the media_dir parameter before processing.

Additional mitigation measures include:

  • Implement input validation on the media_dir parameter to prevent injection of shell metacharacters.
  • Replace unsafe system() calls with safe file operations in the affected components.
  • Add authentication checks to the /cgi-bin/glc endpoint to prevent unauthenticated access.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart