CVE-2026-11452
Command Injection in GL.iNet GL-MT3000
Publication date: 2026-06-07
Last updated on: 2026-06-07
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gl.inet | gl-mt3000 | to 4.4.5 (inc) |
| gl.inet | gl-mt3000 | 4.8.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to execute arbitrary commands on the affected GL.iNet GL-MT3000 device with root privileges without any authentication.
An attacker could leverage this to take full control of the device, potentially leading to unauthorized access to network resources, interception or manipulation of network traffic, installation of malware, or disruption of device functionality.
Can you explain this vulnerability to me?
CVE-2026-11452 is an unauthenticated command injection vulnerability in the GL.iNet GL-MT3000 router running firmware up to version 4.4.5. The flaw exists in the /cgi-bin/glc endpoint, specifically in the SET_USER_PWD Handler function, where the password parameter is passed through multiple functions and eventually used in a shell command constructed with snprintf and executed via system().
Because the password is placed inside double quotes, shell command substitution (such as $(command)) can be executed before the intended command runs, allowing an attacker to execute arbitrary commands as root on the device without authentication.
The vulnerability arises due to insufficient validation of the password parameter and the use of unsafe system calls. The vendor fixed this issue in firmware version 4.8.1 by escaping single quotes and preventing command substitution payloads from executing.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious requests to the `/cgi-bin/glc` endpoint, specifically JSON payloads containing the `set_user_pwd` command with unusual or crafted password parameters that include shell command substitution syntax such as `$()` or backticks.
A practical detection method is to capture and analyze HTTP requests to the device for any password parameters containing shell metacharacters or command substitution patterns.
Example commands to detect exploitation attempts might include using network traffic analysis tools like tcpdump or Wireshark to filter HTTP POST requests to `/cgi-bin/glc` and then searching for suspicious payloads.
- tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/glc'
- grep -E '\$\(|`' captured_payloads.txt
Additionally, checking the system for unexpected files or markers created by command execution attempts can help detect exploitation, although the vendor notes that in fixed versions such markers are not created.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to upgrade the GL.iNet GL-MT3000 firmware to version 4.8.1 or later, where this vulnerability has been addressed.
Until the upgrade can be applied, restrict access to the `/cgi-bin/glc` endpoint by implementing network-level controls such as firewall rules to block unauthorized or external access.
Additionally, monitor the device for suspicious activity and avoid using weak or easily manipulated passwords that could be exploited via command injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-11452 is an unauthenticated command injection vulnerability that allows remote attackers to execute arbitrary commands as root on affected GL.iNet GL-MT3000 devices. This can lead to unauthorized access and control over the device, potentially exposing sensitive data or disrupting services.
Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.
Therefore, failure to patch this vulnerability or mitigate its risks could result in non-compliance with these regulations due to the increased risk of data breaches and loss of confidentiality, integrity, and availability of protected data.