Skip to main content

GL.iNet GL-MT3000 EUVD-2026-34982

| CVE-2026-11451 MEDIUM
Command Injection (CWE-77)
2026-06-07 VulDB GHSA-rw8j-c4m6-h6r7
Command Injection Gl Mt3000
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 07, 2026 - 04:22 NVD
HIGH MEDIUM
CVSS changed
Jun 07, 2026 - 04:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Jun 07, 2026 - 04:12 vuln.today

DescriptionCVE.org

A flaw has been found in GL.iNet GL-MT3000 4.4.5. This impacts the function snprintf of the file /cgi-bin/glc of the component FTP Protocol Handler. Executing a manipulation of the argument media_dir can lead to command injection. It is possible to launch the attack remotely. Upgrading to version 4.8.1 will fix this issue. You should upgrade the affected component. The vendor explains: "In version 4.8.1, before writing media_dir to the FTP configuration command, the code escapes single quotes using escape_single_quote(). The payloads in the report-which rely on closing a single quote, appending commands with a semicolon, and commenting out the tail with #-cannot escape execution under the current code path. We also verified this on a GL‑MT3000 device running firmware version 4.8.1 using similar payloads calling the /NAS_API_SET_PROTO_CONFIG interface. Although the interface returned success, the marker file intended to prove command execution was not created; the payload was written into /etc/vsftpd.conf only as ordinary configuration content and did not trigger any shell command execution. Therefore, with the current firmware version and default runtime environment, we could not reproduce the claimed “unauthorized command injection in set_proto_config”."

AnalysisAI

Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows remote attackers to inject shell commands via the media_dir parameter handled by the snprintf call in /cgi-bin/glc's FTP protocol handler. The CVSS vector indicates network-reachable, unauthenticated exploitation with low complexity, and publicly available exploit code exists on GitHub (StrTzz123/iot_vul). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach router LAN/Wi-Fi or exposed WAN admin
Delivery
Send crafted HTTP request to /cgi-bin/glc
Exploit
Inject shell metacharacters via media_dir parameter
Execution
Break out of snprintf'd FTP config string
Persist
Trigger command execution in glc handler context
Impact
Pivot to LAN clients or persist on router
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires network reach to the GL-MT3000 web management interface on firmware 4.4.5 and the ability to invoke the /cgi-bin/glc handler that processes the NAS FTP protocol configuration (the /NAS_API_SET_PROTO_CONFIG path) with an attacker-controlled media_dir parameter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.3 reflects an unauthenticated network attack vector with low complexity and partial impact across confidentiality, integrity, and availability, which is consistent with command injection on a router's web management interface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same LAN as a GL-MT3000 running 4.4.5 - for example, a guest connected to a travel router in a hotel room or coffee shop - sends an HTTP request to /cgi-bin/glc invoking the NAS FTP configuration interface with a media_dir value that closes a single quote, appends a shell command separated by a semicolon, and comments out the trailing quote with #. Because publicly available exploit code exists, this can be automated with minimal effort, and successful injection yields command execution in the FTP configuration write context on the router, potentially enabling pivoting onto the LAN and tampering with router state.
Remediation Vendor-released patch: firmware 4.8.1 - upgrade GL-MT3000 devices to 4.8.1 or later via the GL.iNet admin UI or official firmware download, which adds escape_single_quote() sanitation of media_dir before it is written into the vsftpd configuration command. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all GL-MT3000 devices and identify those running firmware 4.4.5 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12186 HIGH POC
7.4 Jun 14

Authenticated command injection in the GL.iNet GL-MT3000 travel router (firmware up to 4.4.5) lets remote attackers with
CVE-2026-12187 HIGH POC
7.4 Jun 14

Command injection in the GL.iNet GL-MT3000 travel router's Online Firmware Upgrade Handler (/usr/bin/one_click_upgrade)

Share

EUVD-2026-34982 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy