Skip to main content

GL.iNet GL-MT3000 CVE-2026-12186

| EUVD-2026-36665 HIGH
Command Injection (CWE-77)
2026-06-14 VulDB GHSA-8x52-x2jf-947x
Command Injection Gl Mt3000
7.4
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable admin RPC (AV:N), trivial injection with public PoC (AC:L), requires valid admin session (PR:L), no user interaction, root command execution gives full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 14, 2026 - 21:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 14, 2026 - 21:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 14, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Jun 14, 2026 - 21:22 NVD
8.7 (HIGH) 7.4 (HIGH)
Analysis Generated
Jun 14, 2026 - 21:12 vuln.today

DescriptionCVE.org

A weakness has been identified in GL.iNet GL-MT3000 up to 4.4.5. Affected is the function replace_country in the library /usr/lib/oui-httpd/rpc/tor of the component Tor Proxy Service Configuration Handler. This manipulation causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 4.7 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Authenticated command injection in the GL.iNet GL-MT3000 travel router (firmware up to 4.4.5) lets remote attackers with low-privileged access execute arbitrary OS commands via the replace_country function in the Tor Proxy Service configuration handler. Publicly available exploit code exists for the flaw, and the vendor has shipped a fix; no public exploit identified at time of analysis as actively exploited in the wild.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach GL-MT3000 admin interface over LAN/WAN
Delivery
Authenticate to oui-httpd with valid credentials
Exploit
Send crafted JSON-RPC to tor.replace_country with shell metacharacters
Execution
Trigger command injection in /usr/lib/oui-httpd/rpc/tor
Persist
Execute arbitrary commands as root
Impact
Install implant and pivot into LAN
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reachability to the oui-httpd management interface on the GL-MT3000 - by default this is exposed on the LAN side (192.168.8.1) and is only reachable from the WAN if the user enabled Remote Access in the admin panel; (2) a valid authenticated session against the admin RPC endpoint (CVSS PR:L), meaning the attacker must possess or obtain the device admin password (default, weak, phished, or CSRF-chained); (3) the device must be running firmware ≤ 4.4.5 with the Tor Proxy Service handler /usr/lib/oui-httpd/rpc/tor present (this RPC ships in stock firmware so no opt-in feature toggle is required). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-high but bounded. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same LAN as a GL-MT3000 (or reaching it over WAN where remote admin is enabled) authenticates to the web UI using a weak, default, or phished admin credential, then issues a crafted JSON-RPC call to the tor module's replace_country method with shell metacharacters embedded in the country parameter. The oui-httpd handler concatenates the value into a shell command and executes the attacker's payload as root, allowing them to install a persistent implant, exfiltrate VPN/WireGuard credentials stored on the device, or pivot to the internal network behind the router. …
Remediation Vendor-released patch: upgrade GL-MT3000 firmware to version 4.7 or later (the vendor-published fixed image referenced in the advisory is mt3000-4.8.1-0819, available at https://fw.gl-inet.com/firmware/mt3000/release/mt3000-4.8.1-0819-1755615825.tar). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all GL.iNet GL-MT3000 travel routers deployed across the organization and document current firmware versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12187 HIGH POC
7.4 Jun 14

Command injection in the GL.iNet GL-MT3000 travel router's Online Firmware Upgrade Handler (/usr/bin/one_click_upgrade)

Share

CVE-2026-12186 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy