CVE-2026-11406: GL.iNet MT3000 OpenVPN Command Injection Vulnerability – Patch Guidance
GL.iNet MT3000 routers running firmware versions up to 4.4.5 contain a command injection flaw in the OpenVPN client import process. An authenticated user can craft a malicious OpenVPN configuration file that, when imported through the web interface, executes arbitrary system commands with the privileges of the router's web service. The vendor has released patched firmware that validates OpenVPN configuration files to block injection attempts.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-77
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
A vulnerability was determined in GL.iNet MT3000 up to 4.4.5. This vulnerability affects unknown code of the file ovpnclient.sh of the component OpenVPN Client Import Workflow. This manipulation causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 4.9.0_beta3-1012-0513-1778656146 is able to resolve this issue. You should upgrade the affected component. The vendor confirms: "This issue has been addressed by implementing malicious checks on OpenVPN configuration files to prevent command injection attacks carried through malicious configuration files."
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11406 is a command injection vulnerability (CWE-74, CWE-77) in the ovpnclient.sh script within GL.iNet MT3000 firmware. The OpenVPN Client Import Workflow fails to properly sanitize user-supplied configuration data before passing it to shell operations. An authenticated attacker can inject shell metacharacters into OpenVPN config parameters—such as the server address, certificate paths, or custom configuration directives—to achieve arbitrary command execution on the router. The CVSS 3.1 score of 6.3 reflects that exploitation requires prior authentication (PR:L) but carries local impact across confidentiality, integrity, and availability.
Business impact
Compromised GL.iNet MT3000 routers become entry points for lateral network movement. An attacker with administrative access (or who has socially engineered credentials) can pivot into corporate VPN infrastructure, intercept or redirect VPN traffic, install persistent backdoors, or exfiltrate sensitive data. For organizations using MT3000 as a site-to-site VPN gateway or remote access appliance, this vulnerability directly threatens the integrity of encrypted network channels and the confidentiality of data transiting those channels.
Affected systems
GL.iNet MT3000 devices running firmware version 4.4.5 and earlier are vulnerable. Verify your router's firmware version in the web interface under System > Firmware. The vulnerable component is the OpenVPN Client Import Workflow, so systems that do not use OpenVPN client functionality are not exposed to this particular code path, though updating is still recommended for defense-in-depth.
Exploitability
Exploitation is practical but gated by authentication. The attacker must have valid credentials to access the router's web interface and navigate to the OpenVPN import dialog. Public disclosure has occurred, and malicious proof-of-concept configuration files could be readily adapted by threat actors. An attacker who gains initial access via weak default credentials, phishing, or another vulnerability can immediately leverage this flaw to escalate privileges or establish persistence.
Remediation
Upgrade GL.iNet MT3000 firmware to version 4.9.0_beta3-1012-0513-1778656146 or later. The patched version implements strict validation of OpenVPN configuration files to neutralize command injection payloads. Before upgrading, back up your router configuration and test the new firmware in a non-production environment if possible. After patching, confirm the firmware version in the web interface.
Patch guidance
Access the router's web interface, navigate to System > Firmware, and check the current version. If running 4.4.5 or earlier, download the latest stable firmware from GL.iNet's official support portal. Follow the vendor's upgrade instructions carefully, as interrupted upgrades can brick the device. Do not interrupt power or network connectivity during the upgrade process. After the upgrade completes, verify that the firmware version matches the patched build and that OpenVPN client functionality operates normally.
Detection guidance
Monitor router logs for failed OpenVPN import attempts or unusual characters (backticks, pipes, semicolons, dollar signs) in OpenVPN configuration filenames or contents. Check for unexpected process spawning or elevated privilege usage following OpenVPN client import operations. Network intrusion detection systems (IDS) should flag suspicious outbound connections from the router's IP address that do not align with known VPN server endpoints. Endpoint detection and response (EDR) tools on connected systems should watch for lateral movement originating from the router's subnet immediately after import activities.
Why prioritize this
While the CVSS score is medium (6.3), this vulnerability sits in a critical trust boundary: the router controls all network traffic and authentication to internal systems. Even a medium-severity router flaw can be weaponized for persistent network compromise. The presence of public exploitation details and the straightforward attack vector (malicious config file upload) elevate practical risk. Organizations dependent on MT3000 for VPN or remote access should treat this as high-priority within their router/edge device inventory.
Risk score, explained
The CVSS 3.1 base score of 6.3 (MEDIUM) reflects: Network Attack Vector (AV:N) meaning remote exploitation is possible; Low Attack Complexity (AC:L) indicating no special conditions are needed; Low Privileges Required (PR:L) requiring valid authentication; No User Interaction (UI:N); Unchanged Scope (S:U) meaning impact is confined to the vulnerable component; and partial impact across Confidentiality, Integrity, and Availability (C:L/I:L/A:L). However, environmental context—such as whether the device is internet-facing, the value of VPN traffic it carries, or multi-factor authentication controls—can shift organizational risk higher. This score does not account for post-compromise persistence or lateral movement potential.
Frequently asked questions
Does this vulnerability affect GL.iNet devices other than the MT3000?
The advisory specifically identifies the GL.iNet MT3000. Other GL.iNet models may use the same firmware codebase or vulnerable components; check the vendor's security advisory and your device model to confirm exposure. If you operate other GL.iNet routers, verify their firmware versions and check the official support channels for any related patches.
What if we don't use OpenVPN client import—are we safe?
This specific vulnerability triggers only when the OpenVPN Client Import Workflow is invoked. If your MT3000 is configured solely as a VPN server or does not use OpenVPN at all, this attack vector does not apply. However, the underlying firmware codebase may contain other flaws; upgrading is still recommended for comprehensive security hardening.
Can this be exploited without administrative login credentials?
No. The CVSS vector indicates Low Privileges Required (PR:L), meaning a valid login is necessary. An unauthenticated attacker cannot directly trigger the import workflow. However, weak or default credentials, credential leaks, or social engineering attacks targeting router administrators are common precursors to exploitation.
How do we verify the upgrade succeeded and was not tampered with?
After upgrading, log into the web interface and confirm the firmware version matches the patched build number (4.9.0_beta3-1012-0513-1778656146 or later). GL.iNet advisories may include checksum or signature verification steps; follow those to ensure file integrity. Test OpenVPN import with a known-good configuration file to confirm normal operation.
This analysis is provided for informational purposes and reflects the vulnerability details available as of the publication date. Security researchers should verify all technical claims against vendor advisories and published proof-of-concept disclosures. Organizations should conduct their own risk assessment based on their network topology, regulatory obligations, and the criticality of affected systems. Patch deployment should be tested in a non-production environment before full rollout. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and shall not be liable for any consequences arising from reliance upon it. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10060MEDIUMTRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23
- CVE-2026-10166MEDIUMEdimax BR-6478AC Command Injection – Authentication Required
- CVE-2026-10180MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Hardware Retirement Required
- CVE-2026-10182MEDIUMTRENDnet TEW-432BRP Command Injection – Unpatched EOL Device
- CVE-2026-10550MEDIUMCommand Injection in elunez eladmin Deployment Module
- CVE-2026-10878MEDIUMD-Link DWR-M920 Command Injection Vulnerability – Patch Now