EUVD-2026-34979
GHSA-pg7m-jpvg-gp32
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A weakness has been identified in GL.iNet GL-MT3000 up to 4.4.5. The affected element is the function realpath of the file /rpc of the component Minidlna Service. This manipulation of the argument kube. set causes command injection. The attack is possible to be carried out remotely. Upgrading to version 4.7 is sufficient to fix this issue. It is recommended to upgrade the affected component. The vendor confirms: "Starting from version 4.7, SDK has added global protection to intercept malicious injection".
AnalysisAI
Remote command injection in GL.iNet GL-MT3000 firmware versions up to 4.4.5 enables a network-reachable, high-privilege attacker to execute arbitrary OS commands through the Minidlna service's /rpc endpoint by manipulating the kube.set argument of the realpath function. The vendor has confirmed the vulnerability and released a fix in firmware version 4.7, citing SDK-level global sanitization as the remediation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with high-privilege (administrator-level) credentials on the GL-MT3000 device, as confirmed by CVSS PR:H. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.7 Medium score is primarily constrained by PR:H (high privileges required), meaning an attacker must already hold administrator-level credentials before exploitation - substantially narrowing the realistic threat surface despite the network-accessible attack vector (AV:N) and low attack complexity (AC:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained GL-MT3000 administrator credentials - through default password reuse, credential theft, or a prior compromise - sends a crafted POST request to the device's /rpc endpoint, embedding shell metacharacters in the kube.set argument processed by the Minidlna service's realpath function. The unsanitized argument is passed directly into a system command, causing the router to execute the injected payload with device-level privileges. … |
| Remediation | Upgrade GL.iNet GL-MT3000 firmware to version 4.7 or later, which the vendor has confirmed includes SDK-level global protection to intercept malicious injection across the platform. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authenticated command injection in the GL.iNet GL-MT3000 travel router (firmware up to 4.4.5) lets remote attackers with
Command injection in the GL.iNet GL-MT3000 travel router's Online Firmware Upgrade Handler (/usr/bin/one_click_upgrade)
Share
External POC / Exploit Code
Leaving vuln.today