MEDIUM 6.3

CVE-2026-11449: GL.iNet GL-MT3000 Command Injection in LuCI JSON-RPC Interface

GL.iNet has patched a command injection vulnerability affecting their GL-MT3000 router running firmware 4.4.5. An authenticated attacker could execute arbitrary commands through the LuCI JSON-RPC interface, potentially compromising the router and devices on its network. The vulnerability is addressed in firmware 4.8.1 and later, though newer versions (4.7.13+) mitigate it by excluding LuCI by default.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-77
Affected products
0 configuration(s)
Published / Modified
2026-06-07 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in GL.iNet GL-MT3000 4.4.5. The impacted element is the function rpc_sys of the file /cgi-bin/luci/rpc of the component LuCI JSON-RPC Interface. Such manipulation leads to command injection. The attack may be performed from remote. Upgrading to version 4.8.1 is sufficient to resolve this issue. Upgrading the affected component is advised. The vendor confirms: "The issue discovered by the vulnerability researcher on older firmware versions(4.4.5) has actually been fixed and mitigated in the new version. According to the latest firmware fixes, by default, firmware versions after 4.7.13 do not install LuCI, so this vulnerability cannot be exploited."

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11449 is a command injection flaw in the rpc_sys function of the LuCI JSON-RPC interface (/cgi-bin/luci/rpc) in GL-MT3000 firmware 4.4.5. The vulnerability stems from insufficient input validation (CWE-74, CWE-77) that allows an authenticated remote attacker to inject and execute arbitrary system commands. The CVSS v3.1 score of 6.3 reflects the requirement for valid credentials but the ability to impact confidentiality, integrity, and availability of the affected router.

Business impact

This vulnerability could allow an attacker with valid credentials to compromise router functionality, redirect traffic, modify firewall rules, or pivot to connected devices. For organizations relying on GL-MT3000 routers for network access or VPN services, exploitation could disrupt connectivity and enable further lateral movement. The threat is limited by the authentication requirement, but compromised user credentials—whether through phishing, credential reuse, or prior breaches—represent a realistic attack path.

Affected systems

GL.iNet GL-MT3000 routers running firmware version 4.4.5 and potentially other versions between the vulnerable release and the fix are affected. The vulnerability does not exist in firmware 4.8.1 and later. Additionally, firmware versions 4.7.13 and newer do not include the LuCI component by default, preventing exploitation even if earlier code is present. Organizations should verify their current firmware version via the device web interface or SSH.

Exploitability

Exploitation requires valid authentication credentials to access the LuCI JSON-RPC interface. An attacker must already possess or obtain login credentials (typically the device's admin password). No special techniques, privilege escalation within the router, or out-of-band access is needed; the vulnerability is straightforward to exploit once authenticated. The network-accessible nature of the interface makes this a practical concern for routers exposed to untrusted networks or accessible remotely.

Remediation

Upgrade GL-MT3000 firmware to version 4.8.1 or later. Alternatively, if using firmware 4.7.13 or newer, verify that LuCI is not installed, as it is excluded by default in those versions. Immediate action is recommended for any router running 4.4.5 or intermediate firmware versions. Verify the current firmware version in the device settings or via SSH (uname -a or equivalent) before upgrading.

Patch guidance

Navigate to the GL-MT3000 firmware update page (typically accessible at the router's admin interface under System > Upgrade or similar). Download firmware version 4.8.1 or the latest available release from GL.iNet's official support website. Follow the vendor's upgrade procedure carefully, avoiding interruption during the flash process. After upgrading, reboot and confirm the new version is active. For headless deployments, firmware updates may also be performed via SSH or REST API; consult GL.iNet's technical documentation for your specific setup.

Detection guidance

Identify GL-MT3000 devices on your network via NMAP scanning for typical router signatures or SSH banner grabbing (SSH will often reveal firmware details). Query devices for firmware version via SNMP if enabled, or access the web interface and check System > System Status. Monitor authentication logs on routers for failed or unusual login attempts to /cgi-bin/luci/rpc. Review firewall logs for unexpected command execution or error messages from the CGI interface. Network detection can flag suspicious patterns sent to the RPC endpoint if behavioral baselines are established.

Why prioritize this

Although the CVSS score is moderate (6.3), the vulnerability warrants prompt remediation because command injection allows full router compromise, routers are critical infrastructure, and many organizations may have GL-MT3000 units without comprehensive monitoring. The authentication requirement reduces immediate risk compared to an unauthenticated flaw, but credential compromise is common. Patching is straightforward and low-risk, making this a high-priority routine maintenance item rather than an emergency, unless the device is internet-facing or used in sensitive environments.

Risk score, explained

The CVSS v3.1 score of 6.3 (MEDIUM) reflects: Network-accessible attack vector (AV:N), low attack complexity requiring only valid credentials (AC:L), the need for authenticated access (PR:L), no special user interaction required (UI:N), and impact on confidentiality, integrity, and availability of the device itself (C:L, I:L, A:L). The score does not account for downstream impact on connected networks or critical business functions, which may elevate organizational risk depending on deployment context.

Frequently asked questions

Can this vulnerability be exploited without the attacker knowing the router's login password?

No. The vulnerability requires valid authentication credentials to access the LuCI JSON-RPC interface. However, weak default passwords, credential leaks, or reused credentials from other breaches are common entry points. Additionally, if the router is configured with remote access enabled and uses default credentials, the authentication barrier is significantly weakened.

What happens if I upgrade my GL-MT3000 but LuCI remains installed?

Upgrading to 4.8.1 or later patches the underlying command injection flaw, so the vulnerability is resolved even if LuCI is present. However, newer firmware versions (4.7.13+) do not include LuCI by default, reducing the overall attack surface. If you are running an intermediate version, check your System > Installed Packages menu to see whether LuCI is active; if the patch is applied, you are protected regardless.

How do I know if my router has been compromised by this vulnerability?

Look for signs such as unexpected system reboots, unusual network traffic, modified firewall rules, or evidence of unauthorized SSH logins in system logs (accessible via SSH if you have console access). Since command injection allows arbitrary execution, attackers could install persistence mechanisms. If you suspect compromise, isolate the device, upgrade immediately, and consider resetting the device to factory defaults followed by firmware re-installation as a precaution.

Is this vulnerability tracked as a Known Exploited Vulnerability (KEV)?

No, this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, meaning there is no confirmed public exploit or widespread active exploitation reported. This does not mean the vulnerability is not exploitable—it indicates that as of the data available, it has not reached the threshold for KEV listing. Nevertheless, treat it with the same urgency as any command injection flaw in a networking device.

This analysis is provided for informational and defensive security purposes. SEC.co does not warrant the accuracy or completeness of this intelligence and is not responsible for the accuracy of third-party source data or vendor statements. Organizations should verify all patch versions, compatibility, and deployment procedures directly with GL.iNet's official advisories and documentation before applying updates. Always test patches in a non-production environment first. This intelligence is current as of the publication date and may require updates as new information becomes available. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).