CVE-2026-11447: GL.iNet GL-MT3000 Command Injection Vulnerability
A command injection vulnerability exists in GL.iNet's GL-MT3000 router firmware versions up to 4.4.5. The flaw is located in the MTK Backend component (iwinfo.so) and can be exploited by an authenticated remote attacker to inject arbitrary commands through the device parameter. This allows an attacker with valid credentials to execute unauthorized system commands. The vendor has released version 4.7 with global protections to intercept malicious injection attempts.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-77
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-07 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in GL.iNet GL-MT3000 up to 4.4.5. Impacted is the function iwinfo_backend of the file iwinfo.so of the component MTK Backend. The manipulation of the argument device results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 4.7 is recommended to address this issue. Upgrading the affected component is recommended. The vendor confirms: "Starting from version 4.7, SDK has added global protection to intercept malicious injection".
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11447 is a command injection vulnerability (CWE-74, CWE-77) in the iwinfo_backend function of GL.iNet GL-MT3000 firmware. The vulnerability stems from insufficient input validation on the device argument, permitting OS command injection. The affected component is the MTK Backend library (iwinfo.so). Remote exploitation requires authentication (CVSS vector indicates PR:L), making this accessible to any user with valid login credentials. The vendor's mitigation in version 4.7 implements global injection interception at the SDK level.
Business impact
Organizations deploying GL-MT3000 routers as network infrastructure or edge devices face risk of unauthorized command execution. While authentication is required, compromised user credentials—common in many environments—enable attackers to execute arbitrary commands with router-level privileges. This could lead to lateral movement, data exfiltration, or network disruption. The public exploit availability elevates risk for organizations that have not yet patched.
Affected systems
GL.iNet GL-MT3000 routers running firmware version 4.4.5 and earlier versions are affected. The vulnerability resides in the MTK Backend component bundled with the device firmware. Organizations should inventory deployed GL-MT3000 units and verify current firmware versions.
Exploitability
This vulnerability has moderate exploitability. Public exploits are available, lowering the technical barrier to attack. However, the CVSS vector (PR:L) indicates authentication is required—an attacker must possess valid user credentials. Network accessibility is unrestricted (AV:N). The attack complexity is low (AC:L), meaning no special conditions or timing are required once authenticated.
Remediation
Upgrade GL-MT3000 firmware to version 4.7 or later, which includes SDK-level protections against injection attacks. Verify upgrade completion by confirming firmware version in device settings. Additionally, enforce strong authentication controls: limit the number of user accounts with device access, apply strong password policies, and monitor for suspicious login activity.
Patch guidance
Download the latest firmware (version 4.7 or newer) from GL.iNet's official support portal. Back up your current configuration before upgrading. Follow the vendor's documented firmware update procedure. After upgrade, verify the new firmware version is active and confirm device functionality. For organizations with multiple GL-MT3000 units, stagger deployments to ensure network continuity.
Detection guidance
Monitor GL-MT3000 device logs for unusual command execution or system calls from authenticated sessions. Look for suspicious arguments passed to the device parameter in the iwinfo_backend function—specifically unusual shell metacharacters (|, ;, &, $(), backticks). Network intrusion detection systems should flag payloads containing shell command separators directed at the router. Verify firmware version on deployed devices using the web admin interface or SSH access to confirm patching status.
Why prioritize this
Although classified as MEDIUM severity (CVSS 6.3), this vulnerability warrants prompt attention due to three factors: (1) public exploit availability eliminates the requirement for advanced attacker capability; (2) command injection allows complete device compromise when authenticated; (3) routers are often overlooked in patch management processes, leaving organizations exposed longer than other infrastructure. Prioritize patching for GL-MT3000 units in production networks.
Risk score, explained
The CVSS 6.3 MEDIUM score reflects: low attack complexity (AC:L), network-based access (AV:N), low integrity/confidentiality/availability impact (C:L/I:L/A:L), and requirement for authentication (PR:L). However, the score does not account for the public exploit availability or the typical role of routers as trust boundaries. Consider elevation in your internal risk model if GL-MT3000 units manage sensitive network segments.
Frequently asked questions
Does this vulnerability affect all GL.iNet routers or only the GL-MT3000?
This vulnerability is specific to the GL-MT3000 model. Other GL.iNet products use different firmware and components, so they are not affected by this particular flaw. However, you should always keep all network devices patched regardless of model.
Can this vulnerability be exploited without network access?
No. The vulnerability requires authentication (valid user credentials) and network connectivity to the router's management interface. An attacker cannot exploit this remotely without first obtaining or compromising a valid user account on the device.
What does version 4.7 actually fix at the technical level?
The vendor states that version 4.7 adds 'global protection to intercept malicious injection' at the SDK level. This likely means input sanitization or command argument parsing has been hardened to prevent shell metacharacter injection before the iwinfo_backend function processes the device parameter.
Is this vulnerability currently being exploited in the wild?
There is no indication that this vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, which tracks vulnerabilities with confirmed active exploitation. However, public exploits are available, so exploitation is possible and organizations should assume attackers may discover and use them.
This analysis is provided for informational purposes and is based on publicly available vulnerability data current as of the modification date. The CVSS score and CWE classifications are provided by the CVE database maintainers. Organizations should verify patch availability and compatibility with their specific hardware and configurations before deploying updates. Exploit code details are not provided in this advisory. Always consult the vendor's official security advisory for authoritative guidance on your specific deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10060MEDIUMTRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23
- CVE-2026-10166MEDIUMEdimax BR-6478AC Command Injection – Authentication Required
- CVE-2026-10180MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Hardware Retirement Required
- CVE-2026-10182MEDIUMTRENDnet TEW-432BRP Command Injection – Unpatched EOL Device
- CVE-2026-10550MEDIUMCommand Injection in elunez eladmin Deployment Module
- CVE-2026-10878MEDIUMD-Link DWR-M920 Command Injection Vulnerability – Patch Now