EUVD-2026-34963
GHSA-6qr8-c78q-5fg9
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was determined in GL.iNet MT3000 up to 4.4.5. This vulnerability affects unknown code of the file ovpnclient.sh of the component OpenVPN Client Import Workflow. This manipulation causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 4.9.0_beta3-1012-0513-1778656146 is able to resolve this issue. You should upgrade the affected component. The vendor confirms: "This issue has been addressed by implementing malicious checks on OpenVPN configuration files to prevent command injection attacks carried through malicious configuration files."
AnalysisAI
Command injection in GL.iNet MT3000 routers running firmware up to version 4.4.5 allows authenticated remote attackers to execute arbitrary OS commands by supplying a crafted OpenVPN configuration file through the device's OpenVPN Client Import Workflow. The shell script ovpnclient.sh processes imported .ovpn files without adequately sanitizing user-controlled content, enabling embedded shell metacharacters or directives to execute at the OS level. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold at least low-level authenticated access (PR:L per CVSS vector) to the GL.iNet MT3000 web management interface - unauthenticated exploitation is not supported by the available data. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.3 (Medium) reflects network-reachable exploitation (AV:N), low attack complexity (AC:L), low privilege requirement (PR:L - authenticated), no user interaction (UI:N), and unchanged scope with low-level confidentiality, integrity, and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained low-privilege credentials for the GL.iNet MT3000 management interface - through credential stuffing, default password exploitation, or phishing - authenticates to the web UI and navigates to the OpenVPN Client Import feature. They upload a crafted .ovpn configuration file with shell injection payloads embedded in fields processed by ovpnclient.sh (for example, in the remote, dev, or cert directive values), causing arbitrary OS commands to execute on the router with the script's runtime privileges. … |
| Remediation | The primary remediation is upgrading the GL.iNet MT3000 firmware to version 4.9.0_beta3-1012-0513-1778656146, available at https://fw.gl-inet.cn/firmware/mt3000/testing/mt3000-4.9.0_beta3-1012-0513-1778656146.tar. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today