Skip to main content

GL.iNet GL-MT3000 CVE-2026-11449

| EUVD-2026-34980 MEDIUM
Command Injection (CWE-77)
2026-06-07 VulDB GHSA-w9mf-f5g7-vfhw
Command Injection Gl Mt3000
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
Jun 07, 2026 - 03:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Jun 07, 2026 - 02:57 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in GL.iNet GL-MT3000 4.4.5. The impacted element is the function rpc_sys of the file /cgi-bin/luci/rpc of the component LuCI JSON-RPC Interface. Such manipulation leads to command injection. The attack may be performed from remote. Upgrading to version 4.8.1 is sufficient to resolve this issue. Upgrading the affected component is advised. The vendor confirms: "The issue discovered by the vulnerability researcher on older firmware versions(4.4.5) has actually been fixed and mitigated in the new version. According to the latest firmware fixes, by default, firmware versions after 4.7.13 do not install LuCI, so this vulnerability cannot be exploited."

AnalysisAI

Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows a remote, low-privileged attacker to execute arbitrary OS commands via the rpc_sys function exposed through the LuCI JSON-RPC interface at /cgi-bin/luci/rpc. The vendor has confirmed the vulnerability and released a fix in firmware 4.8.1; critically, versions after 4.7.13 no longer install LuCI by default, eliminating the attack surface for most current deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege LuCI credentials
Delivery
Send crafted JSON-RPC POST to /cgi-bin/luci/rpc
Exploit
Inject shell metacharacters into rpc_sys function parameter
Execution
Router executes attacker-controlled OS commands
Impact
Achieve persistent root-level access on device
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Three conditions must all be true for exploitation: (1) the target device runs GL-MT3000 firmware version 4.4.5 or another version in the 4.4.5-4.7.13 range that installs LuCI by default - firmware after 4.7.13 does not install LuCI by default and is not exploitable in default configuration; (2) the LuCI package is installed and the `/cgi-bin/luci/rpc` endpoint is reachable from the attacker's network position; (3) the attacker holds at least low-privilege authenticated access to the LuCI interface (PR:L per CVSS vector), meaning valid credentials or a captured session token are required - unauthenticated exploitation is not supported by available data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.3 (Medium) reflects a network-reachable attack (AV:N) with low complexity (AC:L) but a meaningful barrier in the form of required low-privilege authentication (PR:L), which limits purely opportunistic exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained low-privilege credentials for the GL-MT3000 web interface - through credential stuffing, default credential use, or prior access - sends a crafted HTTP POST request to `/cgi-bin/luci/rpc` with shell metacharacters injected into a parameter processed by the `rpc_sys` function, causing the router to execute attacker-controlled OS commands. A proof-of-concept is publicly available on GitHub at https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/luci_rpc_sys_exec_rce, significantly reducing the skill required for exploitation. …
Remediation The primary fix is to upgrade GL-MT3000 firmware to version 4.8.1 or later, available at https://fw.gl-inet.com/firmware/mt3000/release/mt3000-4.8.1-0819-1755615825.tar. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12186 HIGH POC
7.4 Jun 14

Authenticated command injection in the GL.iNet GL-MT3000 travel router (firmware up to 4.4.5) lets remote attackers with
CVE-2026-12187 HIGH POC
7.4 Jun 14

Command injection in the GL.iNet GL-MT3000 travel router's Online Firmware Upgrade Handler (/usr/bin/one_click_upgrade)

Share

CVE-2026-11449 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy