Gl Mt3000
Monthly
Command injection in the GL.iNet GL-MT3000 travel router's Online Firmware Upgrade Handler (/usr/bin/one_click_upgrade) allows authenticated remote attackers to execute arbitrary OS commands on devices running firmware up to 4.4.5. Publicly available exploit code exists on GitHub, and the issue is fixed in firmware 4.7 (with 4.8.1 currently published by the vendor). No CISA KEV listing has been confirmed, but the combination of a published PoC and an internet-exposable management interface raises the practical risk above the headline CVSS score.
Authenticated command injection in the GL.iNet GL-MT3000 travel router (firmware up to 4.4.5) lets remote attackers with low-privileged access execute arbitrary OS commands via the replace_country function in the Tor Proxy Service configuration handler. Publicly available exploit code exists for the flaw, and the vendor has shipped a fix; no public exploit identified at time of analysis as actively exploited in the wild.
Command injection in GL.iNet GL-MT3000 routers running firmware up to 4.4.5 allows remote attackers to inject shell commands through the Password argument of the SET_USER_PWD handler in /cgi-bin/glc (function FUN_0042e200). The flaw is network-reachable with low complexity, but no public exploit is identified at time of analysis and the vendor disputes practical exploitability, stating that single-quote escaping in the shell context blocks the reported $() and backtick payloads.
Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows remote attackers to inject shell commands via the media_dir parameter handled by the snprintf call in /cgi-bin/glc's FTP protocol handler. The CVSS vector indicates network-reachable, unauthenticated exploitation with low complexity, and publicly available exploit code exists on GitHub (StrTzz123/iot_vul). The vendor has issued firmware 4.8.1 and disputes reproducibility on the patched build, stating that escape_single_quote() now sanitizes the input before it reaches the FTP configuration write path.
Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows remote attackers to execute arbitrary OS commands by manipulating the dev_name argument passed to the dlopen function in the /usr/lib/oui-httpd/rpc/ Path Normalization Handler, reachable via the nas-web.eject_disk RPC method. Publicly available exploit code exists on GitHub demonstrating the chain. No CISA KEV listing and EPSS data was not provided, but the network-reachable, no-authentication CVSS vector combined with public PoC makes this a meaningful risk for exposed devices.
Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows a remote, low-privileged attacker to execute arbitrary OS commands via the `rpc_sys` function exposed through the LuCI JSON-RPC interface at `/cgi-bin/luci/rpc`. The vendor has confirmed the vulnerability and released a fix in firmware 4.8.1; critically, versions after 4.7.13 no longer install LuCI by default, eliminating the attack surface for most current deployments. Publicly available exploit code exists in a GitHub repository, though no active exploitation has been confirmed by CISA KEV.
Remote command injection in GL.iNet GL-MT3000 firmware versions up to 4.4.5 enables a network-reachable, high-privilege attacker to execute arbitrary OS commands through the Minidlna service's /rpc endpoint by manipulating the kube.set argument of the realpath function. The vendor has confirmed the vulnerability and released a fix in firmware version 4.7, citing SDK-level global sanitization as the remediation. Publicly available exploit code exists in a GitHub proof-of-concept repository (StrTzz123/iot_vul), though no active exploitation has been confirmed by CISA KEV at time of analysis.
Command injection in GL.iNet GL-MT3000 router firmware (versions up to 4.4.5) allows a low-privileged remote attacker to execute arbitrary OS commands by manipulating the 'device' argument passed to the iwinfo_backend function in iwinfo.so. A public proof-of-concept exploit is available on GitHub, raising the realistic likelihood of opportunistic abuse. The vendor has confirmed the issue and released firmware 4.7 with a global injection interception protection in the SDK.
Command injection in the GL.iNet GL-MT3000 travel router's Online Firmware Upgrade Handler (/usr/bin/one_click_upgrade) allows authenticated remote attackers to execute arbitrary OS commands on devices running firmware up to 4.4.5. Publicly available exploit code exists on GitHub, and the issue is fixed in firmware 4.7 (with 4.8.1 currently published by the vendor). No CISA KEV listing has been confirmed, but the combination of a published PoC and an internet-exposable management interface raises the practical risk above the headline CVSS score.
Authenticated command injection in the GL.iNet GL-MT3000 travel router (firmware up to 4.4.5) lets remote attackers with low-privileged access execute arbitrary OS commands via the replace_country function in the Tor Proxy Service configuration handler. Publicly available exploit code exists for the flaw, and the vendor has shipped a fix; no public exploit identified at time of analysis as actively exploited in the wild.
Command injection in GL.iNet GL-MT3000 routers running firmware up to 4.4.5 allows remote attackers to inject shell commands through the Password argument of the SET_USER_PWD handler in /cgi-bin/glc (function FUN_0042e200). The flaw is network-reachable with low complexity, but no public exploit is identified at time of analysis and the vendor disputes practical exploitability, stating that single-quote escaping in the shell context blocks the reported $() and backtick payloads.
Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows remote attackers to inject shell commands via the media_dir parameter handled by the snprintf call in /cgi-bin/glc's FTP protocol handler. The CVSS vector indicates network-reachable, unauthenticated exploitation with low complexity, and publicly available exploit code exists on GitHub (StrTzz123/iot_vul). The vendor has issued firmware 4.8.1 and disputes reproducibility on the patched build, stating that escape_single_quote() now sanitizes the input before it reaches the FTP configuration write path.
Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows remote attackers to execute arbitrary OS commands by manipulating the dev_name argument passed to the dlopen function in the /usr/lib/oui-httpd/rpc/ Path Normalization Handler, reachable via the nas-web.eject_disk RPC method. Publicly available exploit code exists on GitHub demonstrating the chain. No CISA KEV listing and EPSS data was not provided, but the network-reachable, no-authentication CVSS vector combined with public PoC makes this a meaningful risk for exposed devices.
Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows a remote, low-privileged attacker to execute arbitrary OS commands via the `rpc_sys` function exposed through the LuCI JSON-RPC interface at `/cgi-bin/luci/rpc`. The vendor has confirmed the vulnerability and released a fix in firmware 4.8.1; critically, versions after 4.7.13 no longer install LuCI by default, eliminating the attack surface for most current deployments. Publicly available exploit code exists in a GitHub repository, though no active exploitation has been confirmed by CISA KEV.
Remote command injection in GL.iNet GL-MT3000 firmware versions up to 4.4.5 enables a network-reachable, high-privilege attacker to execute arbitrary OS commands through the Minidlna service's /rpc endpoint by manipulating the kube.set argument of the realpath function. The vendor has confirmed the vulnerability and released a fix in firmware version 4.7, citing SDK-level global sanitization as the remediation. Publicly available exploit code exists in a GitHub proof-of-concept repository (StrTzz123/iot_vul), though no active exploitation has been confirmed by CISA KEV at time of analysis.
Command injection in GL.iNet GL-MT3000 router firmware (versions up to 4.4.5) allows a low-privileged remote attacker to execute arbitrary OS commands by manipulating the 'device' argument passed to the iwinfo_backend function in iwinfo.so. A public proof-of-concept exploit is available on GitHub, raising the realistic likelihood of opportunistic abuse. The vendor has confirmed the issue and released firmware 4.7 with a global injection interception protection in the SDK.