Skip to main content

GL.iNet GL-MT3000 CVE-2026-12187

| EUVD-2026-36666 HIGH
Command Injection (CWE-77)
2026-06-14 VulDB GHSA-8rqp-5vg5-cv68
Command Injection Gl Mt3000
7.4
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable admin UI (AV:N), no special conditions (AC:L), authenticated low-privileged operator session required (PR:L), no user interaction, full device compromise on a single OS scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 14, 2026 - 23:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 14, 2026 - 23:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 14, 2026 - 23:22 vuln.today
cvss_changed
CVSS changed
Jun 14, 2026 - 23:22 NVD
8.7 (HIGH) 7.4 (HIGH)
Analysis Generated
Jun 14, 2026 - 22:42 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in GL.iNet GL-MT3000 up to 4.4.5. Affected by this vulnerability is an unknown functionality of the file /usr/bin/one_click_upgrade of the component Online Firmware Upgrade Handler. Such manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 4.7 addresses this issue. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Command injection in the GL.iNet GL-MT3000 travel router's Online Firmware Upgrade Handler (/usr/bin/one_click_upgrade) allows authenticated remote attackers to execute arbitrary OS commands on devices running firmware up to 4.4.5. Publicly available exploit code exists on GitHub, and the issue is fixed in firmware 4.7 (with 4.8.1 currently published by the vendor). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach GL-MT3000 admin UI over network
Delivery
Authenticate with operator credentials
Exploit
Submit crafted upgrade URL parameter
Execution
one_click_upgrade concatenates input into shell command
Persist
Injected command executes as router service account
Impact
Persist on OpenWrt firmware and pivot into LAN
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires network reachability to the GL-MT3000 web management interface (LAN by default, but frequently exposed via WAN admin, GoodCloud remote management, or Tailscale/WireGuard overlays) and valid credentials for an account with permission to invoke the Online Firmware Upgrade Handler - the CVSS PR:L indicates an authenticated low-privileged operator session is necessary, so it is not a pre-auth bug. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H with E:P yields 7.4 (High) and is internally consistent with a post-auth command injection on a network-exposed admin endpoint: full triad impact on the device, no user interaction, low attack complexity, but PR:L because a valid admin/operator session on the router UI is required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or guessed the GL-MT3000 admin password (or who reaches an exposed admin panel on the WAN) authenticates to the web UI and triggers the online firmware upgrade flow with a crafted URL/version parameter containing shell metacharacters. The /usr/bin/one_click_upgrade handler concatenates the value into a shell command, executing the attacker's payload as the router's privileged service account, yielding persistent device takeover, traffic interception, and a pivot into the LAN. …
Remediation Apply the vendor-released fix by upgrading firmware to 4.7 or later; GL.iNet has published 4.8.1 at https://fw.gl-inet.com/firmware/mt3000/release/mt3000-4.8.1-0819-1755615825.tar, which should be preferred as the current rolled-up release. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all GL-MT3000 routers in production; confirm current firmware versions and whether management interfaces are internet-exposed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12186 HIGH POC
7.4 Jun 14

Authenticated command injection in the GL.iNet GL-MT3000 travel router (firmware up to 4.4.5) lets remote attackers with

Share

CVE-2026-12187 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy