Skip to main content

GL.iNet GL-MT3000 CVE-2026-11452

| EUVD-2026-34983 MEDIUM
Command Injection (CWE-77)
2026-06-07 VulDB GHSA-5qf6-3rw8-7jgg
Command Injection Gl Mt3000
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 07, 2026 - 04:22 NVD
HIGH MEDIUM
CVSS changed
Jun 07, 2026 - 04:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Jun 07, 2026 - 04:12 vuln.today

DescriptionCVE.org

A vulnerability has been found in GL.iNet GL-MT3000 up to 4.4.5. Affected is the function FUN_0042e200 of the file /cgi-bin/glc of the component SET_USER_PWD Handler. The manipulation of the argument Password leads to command injection. The attack can be initiated remotely. Upgrading to version 4.8.1 is able to address this issue. The affected component should be upgraded. The vendor explains: " The current code escapes single quotes in the password parameter and handles it inside a shell single‑quote context. The payloads in the report, which rely on $() or backticks to trigger command substitution, are not executed under the current code path. We tested on a GL‑MT3000 device running firmware 4.8.1 using similar payloads, and no command‑execution marker file was created."

AnalysisAI

Command injection in GL.iNet GL-MT3000 routers running firmware up to 4.4.5 allows remote attackers to inject shell commands through the Password argument of the SET_USER_PWD handler in /cgi-bin/glc (function FUN_0042e200). The flaw is network-reachable with low complexity, but no public exploit is identified at time of analysis and the vendor disputes practical exploitability, stating that single-quote escaping in the shell context blocks the reported $() and backtick payloads.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed GL-MT3000 admin interface
Delivery
Craft POST to /cgi-bin/glc SET_USER_PWD
Exploit
Embed shell metacharacters in Password field
Execution
Bypass single-quote escaping in FUN_0042e200
Persist
Execute injected command as web service user
Impact
Establish persistence or pivot to LAN clients
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to reach the router's web management interface and invoke the SET_USER_PWD action of the /cgi-bin/glc CGI with a manipulated Password parameter - by default this interface is bound to the LAN, so internet-based exploitation requires the operator to have explicitly enabled WAN-side admin access or remote management. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) indicates a remotely reachable, unauthenticated, low-complexity attack with low impact across CIA - a profile typical of network-facing CGI command injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same network segment as a GL-MT3000 router (for example, a guest on a coffee-shop or co-working Wi-Fi where a travel router is in use), or anywhere on the internet if the admin interface has been exposed, sends a crafted POST request to /cgi-bin/glc invoking the SET_USER_PWD handler with a shell-metacharacter payload in the Password field. If sanitization can be bypassed, the injected command executes with the privileges of the web service (typically root on consumer routers), enabling configuration tampering, traffic interception, or persistent implant installation. …
Remediation Vendor-released patch: upgrade GL-MT3000 firmware to version 4.8.1 or later, which the vendor confirms is not exploitable by the reported $()/backtick payloads. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all GL-MT3000 routers, document firmware versions and network role/criticality; assign incident response ownership. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12186 HIGH POC
7.4 Jun 14

Authenticated command injection in the GL.iNet GL-MT3000 travel router (firmware up to 4.4.5) lets remote attackers with
CVE-2026-12187 HIGH POC
7.4 Jun 14

Command injection in the GL.iNet GL-MT3000 travel router's Online Firmware Upgrade Handler (/usr/bin/one_click_upgrade)

Share

CVE-2026-11452 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy