CVE-2026-11448: GL.iNet GL-MT3000 Command Injection in Minidlna Service
GL.iNet GL-MT3000 routers running firmware version 4.4.5 and earlier contain a command injection flaw in the Minidlna service. An authenticated remote attacker can manipulate a specific parameter to inject arbitrary commands, potentially allowing them to execute code on the device. The vulnerability requires administrative privileges to exploit and has been resolved in firmware version 4.7 through enhanced input validation added to the SDK.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.7 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-77
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-07 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in GL.iNet GL-MT3000 up to 4.4.5. The affected element is the function realpath of the file /rpc of the component Minidlna Service. This manipulation of the argument kube. set causes command injection. The attack is possible to be carried out remotely. Upgrading to version 4.7 is sufficient to fix this issue. It is recommended to upgrade the affected component. The vendor confirms: "Starting from version 4.7, SDK has added global protection to intercept malicious injection".
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11448 is a command injection vulnerability (CWE-74, CWE-77) in the realpath function within the /rpc endpoint of the GL-MT3000's Minidlna service component. The flaw stems from insufficient sanitization of the 'kube.set' argument, which allows an authenticated attacker with high privileges to inject shell metacharacters. The attack vector is network-accessible and requires no user interaction. GL.iNet addressed this by implementing global injection protection mechanisms in SDK version 4.7, which intercepts and neutralizes malicious payloads before execution.
Business impact
This vulnerability affects organizations deploying GL.iNet GL-MT3000 devices as edge routers or media servers. The primary risk lies in lateral movement and network compromise by high-privilege authenticated users, such as rogue administrators or compromised admin accounts. While CVSS scoring reflects medium severity due to the authentication requirement, successful exploitation could grant attackers command execution equivalent to the device's service process privileges, potentially enabling data exfiltration or network reconnaissance from inside the protected network.
Affected systems
GL.iNet GL-MT3000 running firmware versions 4.4.5 and earlier. The Minidlna service component is the attack surface; systems without this service enabled or already running version 4.7 or later are not affected.
Exploitability
Exploitation requires valid administrative credentials to access the /rpc endpoint and construct a malicious request targeting the kube.set parameter. The barrier to entry is moderate—an attacker must already possess high-level authentication. Once authenticated, the injection payload can be delivered over the network with no additional prerequisites. The lack of CISA KEV listing suggests limited public exploitation activity as of the publication date, though the relative simplicity of command injection attacks means weaponization risk remains non-negligible.
Remediation
Upgrade GL.iNet GL-MT3000 firmware to version 4.7 or later immediately. The vendor confirms that version 4.7 includes global SDK-level injection protection. Organizations unable to upgrade immediately should restrict administrative access to trusted users only, disable remote management if not required, and monitor for suspicious /rpc calls in access logs.
Patch guidance
Apply firmware version 4.7 or later via the GL.iNet management interface or download the latest firmware from the vendor's official support portal. Verify the integrity of the firmware image using provided checksums before installation. Test the upgrade in a non-production environment if possible. Rollback procedures should be documented beforehand. Verify that the Minidlna service restarts properly post-upgrade and that no custom configurations are lost during the update process.
Detection guidance
Monitor network access logs for POST or GET requests to the /rpc endpoint with 'kube.set' parameters, particularly those containing shell metacharacters (`, $, |, &, ;, <, >, etc.). Inspect Minidlna service logs for execution of unexpected commands or unusual process spawning. On systems running firmware prior to 4.7, establish baseline behavior for administrative API calls and alert on deviations. Implement network segmentation to restrict who can reach the /rpc endpoint. Use intrusion detection signatures that flag command injection patterns in HTTP parameters.
Why prioritize this
Although CVSS scoring is medium (4.7), this vulnerability warrants prompt remediation because: (1) it affects a network-facing service, (2) command injection carries inherent risk of privilege escalation or lateral movement, and (3) administrative credentials, while required, are sometimes shared or compromised in enterprise environments. Delaying patching increases exposure window if the attack is discovered by threat actors or shared in threat intelligence feeds.
Risk score, explained
CVSS 3.1 score of 4.7 reflects the network-accessible vector (AV:N) and low complexity (AC:L) of exploitation, balanced against the requirement for high-privilege authentication (PR:H). Impact is limited to confidentiality, integrity, and availability at the device level (S:U) with low severity in each category. The score does not account for business context—organizations that centralize admin credentials or operate GL-MT3000 devices in untrusted environments should weight their risk higher.
Frequently asked questions
Do I need admin access to exploit this vulnerability?
Yes, the vulnerability requires valid administrative credentials to access the /rpc endpoint. However, if an attacker has compromised an admin account or if credentials are shared among staff, exploitation becomes feasible. Review who has administrative access to your GL-MT3000 devices.
What does the vendor mean by 'global SDK protection'?
Starting in version 4.7, GL.iNet implemented input validation and sanitization at the SDK level that intercepts command injection payloads before they reach vulnerable functions. This is a defense-in-depth measure that stops malicious kube.set arguments from being processed as shell commands.
Is this vulnerability actively being exploited in the wild?
As of the CVE publication date, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting no widespread public exploitation has been reported. However, the relative simplicity of command injection attacks means threat actors may develop exploits independently.
Can I mitigate this without upgrading firmware?
Partial mitigation is possible by restricting network access to the /rpc endpoint via firewall rules, limiting administrative access to trusted internal networks, and disabling remote management features if not needed. However, firmware upgrade to version 4.7 is the only complete fix.
This analysis is provided for informational purposes only and does not constitute legal or professional advice. Organizations should verify all patch version numbers, affected systems, and remediation steps against official vendor advisories before implementation. SEC.co does not guarantee the accuracy of third-party vendor statements or timelines. Always test patches in a controlled environment before production deployment. For the most current information, consult the official GL.iNet security advisories and support channels. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10060MEDIUMTRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23
- CVE-2026-10166MEDIUMEdimax BR-6478AC Command Injection – Authentication Required
- CVE-2026-10180MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Hardware Retirement Required
- CVE-2026-10182MEDIUMTRENDnet TEW-432BRP Command Injection – Unpatched EOL Device
- CVE-2026-10550MEDIUMCommand Injection in elunez eladmin Deployment Module
- CVE-2026-10878MEDIUMD-Link DWR-M920 Command Injection Vulnerability – Patch Now