Skip to main content

GL.iNet GL-MT3000 CVE-2026-11450

| EUVD-2026-34981 MEDIUM
Command Injection (CWE-77)
2026-06-07 VulDB GHSA-jqrf-6qhf-8j4m
Command Injection Gl Mt3000
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 07, 2026 - 03:22 NVD
HIGH MEDIUM
CVSS changed
Jun 07, 2026 - 03:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Jun 07, 2026 - 02:57 vuln.today

DescriptionCVE.org

A vulnerability was detected in GL.iNet GL-MT3000 4.4.5. This affects the function dlopen in the library /usr/lib/oui-httpd/rpc/ of the component Path Normalization Handler. Performing a manipulation of the argument dev_name results in command injection. It is possible to initiate the attack remotely. Upgrading to version 4.7 mitigates this issue. It is advisable to upgrade the affected component. The vendor confirms: " From version 4.7 onward, we have enabled method‑level validation at the HTTP /rpc layer. nas‑web.eject_disk is no longer in the whitelist of allowed methods. Consequently, directly calling eject_disk through the default /rpc endpoint returns Invalid params, preventing entry into subsequent dangerous functions and blocking the remote exploit chain described in the report."

AnalysisAI

Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows remote attackers to execute arbitrary OS commands by manipulating the dev_name argument passed to the dlopen function in the /usr/lib/oui-httpd/rpc/ Path Normalization Handler, reachable via the nas-web.eject_disk RPC method. Publicly available exploit code exists on GitHub demonstrating the chain. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach GL-MT3000 /rpc over network
Delivery
Send POST to nas-web.eject_disk
Exploit
Inject shell metacharacters via dev_name
Execution
Trigger command injection in path handler
Persist
Execute arbitrary commands as oui-httpd
Impact
Pivot to device takeover or LAN access
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must be able to reach the GL-MT3000's oui-httpd web/RPC service on TCP (typically port 80/443 on the LAN, or the WAN side only if the user has explicitly enabled remote admin - not default). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L yields 7.3 (High): network-reachable, low complexity, no privileges, no user interaction, with limited CIA impact - limited likely reflecting that oui-httpd typically runs as a constrained service rather than full root, though on consumer routers this still often equates to device takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same Wi-Fi network as a GL-MT3000 (or reaching it across the WAN if the admin interface is exposed) sends an unauthenticated HTTP POST to the /rpc endpoint invoking nas-web.eject_disk with a crafted dev_name containing shell metacharacters such as `;` or backticks. The injected command is concatenated into the dlopen-adjacent path handling routine and executed by the oui-httpd process, giving the attacker arbitrary command execution on the router. …
Remediation Vendor-released patch: upgrade GL-MT3000 firmware to version 4.7 or later, which removes nas-web.eject_disk from the /rpc method whitelist so the vulnerable code path can no longer be reached by remote callers (per the vendor statement). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit network inventory to identify all GL-MT3000 devices and confirm firmware version 4.4.5 deployment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12186 HIGH POC
7.4 Jun 14

Authenticated command injection in the GL.iNet GL-MT3000 travel router (firmware up to 4.4.5) lets remote attackers with
CVE-2026-12187 HIGH POC
7.4 Jun 14

Command injection in the GL.iNet GL-MT3000 travel router's Online Firmware Upgrade Handler (/usr/bin/one_click_upgrade)

Share

CVE-2026-11450 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy