CVE-2026-12187
Received Received - Intake
Command Injection in GL.iNet GL-MT3000

Publication date: 2026-06-14

Last updated on: 2026-06-14

Assigner: VulDB

Description
A security vulnerability has been detected in GL.iNet GL-MT3000 up to 4.4.5. Affected by this vulnerability is an unknown functionality of the file /usr/bin/one_click_upgrade of the component Online Firmware Upgrade Handler. Such manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 4.7 addresses this issue. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-14
Last Modified
2026-06-14
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-12187
EUVD
EUVD-2026-36666
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
gl.inet gl-mt3000 to 4.4.5 (inc)
gl.inet gl-mt3000 4.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the GL.iNet GL-MT3000 device up to version 4.4.5, specifically in the Online Firmware Upgrade Handler component located in the file /usr/bin/one_click_upgrade. It allows an attacker to perform command injection by manipulating this functionality. The attack can be executed remotely, meaning an attacker does not need physical access to the device to exploit it.

The vendor has addressed this issue by releasing version 4.7, which fixes the vulnerability.

Impact Analysis

This vulnerability can have severe impacts as it allows remote command injection, which means an attacker can execute arbitrary commands on the affected device.

  • Confidentiality: The attacker can potentially access sensitive information.
  • Integrity: The attacker can modify system files or configurations.
  • Availability: The attacker can disrupt the device's normal operation, causing denial of service.

Overall, this can lead to full compromise of the device, impacting network security and trust.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the affected GL.iNet GL-MT3000 device to version 4.7 or later, as this version addresses the issue.

Upgrading the affected component, specifically the Online Firmware Upgrade Handler, is advised to prevent remote command injection attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12187. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart