CVE-2026-11450: GL.iNet GL-MT3000 Remote Command Injection Vulnerability
A command injection vulnerability exists in GL.iNet GL-MT3000 routers running firmware version 4.4.5 and earlier. An attacker can remotely exploit this flaw by manipulating the device name parameter in the HTTP RPC interface, allowing them to execute arbitrary commands on the affected device without authentication. The issue stems from insufficient input validation in the path normalization handler. GL.iNet has addressed this in firmware version 4.7 and later by implementing method-level validation that prevents the vulnerable eject_disk function from being called through the default RPC endpoint.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-77
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-07 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in GL.iNet GL-MT3000 4.4.5. This affects the function dlopen in the library /usr/lib/oui-httpd/rpc/ of the component Path Normalization Handler. Performing a manipulation of the argument dev_name results in command injection. It is possible to initiate the attack remotely. Upgrading to version 4.7 mitigates this issue. It is advisable to upgrade the affected component. The vendor confirms: " From version 4.7 onward, we have enabled method‑level validation at the HTTP /rpc layer. nas‑web.eject_disk is no longer in the whitelist of allowed methods. Consequently, directly calling eject_disk through the default /rpc endpoint returns Invalid params, preventing entry into subsequent dangerous functions and blocking the remote exploit chain described in the report."
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the dlopen function within /usr/lib/oui-httpd/rpc/, a component responsible for handling path normalization in the GL-MT3000's web interface. The flaw involves improper sanitization of the dev_name argument passed to the RPC layer. By manipulating this parameter, an unauthenticated attacker can inject shell commands that are executed with the privileges of the web service process. The attack chain relies on calling the nas-web.eject_disk method, which was accessible through the default /rPC endpoint in vulnerable versions. GL.iNet's remediation in version 4.7 introduced HTTP RPC layer validation that blocks eject_disk from being whitelisted, preventing the exploit chain from being initiated.
Business impact
Organizations deploying GL-MT3000 devices as network infrastructure—particularly in small office/branch office (SOBO) or remote access scenarios—face risk of complete device compromise. An attacker gaining command execution could steal network traffic, modify router configurations, pivot to internal networks, or use the device for botnet participation. The unauthenticated, network-accessible nature of the flaw means any internet-facing GL-MT3000 is at immediate risk. Recovery typically requires manual intervention and potential re-imaging of affected devices.
Affected systems
GL.iNet GL-MT3000 devices running firmware versions prior to 4.7 are affected. The vulnerability is present in version 4.4.5 and earlier. Devices running firmware 4.7 or later contain the mitigating validation controls and are not vulnerable. Organizations should verify firmware versions across all deployed GL-MT3000 units and prioritize updates in internet-facing or perimeter deployments.
Exploitability
This vulnerability is highly exploitable. It requires no authentication, no user interaction, and no special network conditions—only network reachability to the device's HTTP RPC interface. The attack is straightforward to execute remotely using standard HTTP requests. The CVSS 3.1 score of 7.3 (High) reflects the low attack complexity and the ability to achieve confidentiality, integrity, and availability impacts. No known public exploits are currently tracked in the CISA KEV catalog, but the simplicity of the attack vector means exploitation risk is substantial and will likely increase once detailed technical information becomes widely available.
Remediation
The primary remediation is to upgrade all affected GL-MT3000 devices to firmware version 4.7 or later. This update includes the method-level validation that prevents the vulnerable eject_disk function from being accessible via the default RPC endpoint. Administrators should plan a firmware rollout, testing the upgrade in a non-production environment first to ensure compatibility with custom configurations. Until updates can be deployed, consider restricting network access to the device's HTTP interface using firewall rules or VPN gating, limiting exposure to trusted networks only.
Patch guidance
GL.iNet has released firmware version 4.7 as the official remediation. Administrators should obtain the latest firmware from GL.iNet's official download portal and follow their documented upgrade procedure. Verify the firmware version before and after the upgrade to confirm successful deployment. Organizations should establish a change control process to coordinate updates across multiple GL-MT3000 devices and document the patching timeline for compliance purposes. If your environment has custom RPC extensions, test them thoroughly on version 4.7 before production rollout.
Detection guidance
Monitor HTTP logs for unexpected calls to the /rpc endpoint with suspicious dev_name parameters or attempts to invoke nas-web.eject_disk. Look for payloads containing shell metacharacters (|, ;, $, backticks, &&, ||) embedded in HTTP POST parameters. Network-based detection can flag requests to the RPC interface from untrusted sources. On the device itself, audit syslog and process execution logs for unusual command activity originating from the web service user. Intrusion detection signatures should key on the path /usr/lib/oui-httpd/rpc/ and method names attempting to call eject_disk.
Why prioritize this
This vulnerability warrants immediate attention due to its high CVSS score (7.3), unauthenticated remote exploitability, and the complete device compromise it enables. Organizations should prioritize patching GL-MT3000 devices, especially those exposed to untrusted networks. While not yet in the CISA KEV catalog, the straightforward attack methodology and high impact make this a natural target for active exploitation. Firmware updates are straightforward and impose minimal operational risk.
Risk score, explained
The CVSS 3.1 score of 7.3 (High) reflects: (1) network-based remote attack vector with no authentication required (AV:N, PR:N); (2) low attack complexity requiring only standard HTTP requests (AC:L); (3) no user interaction needed (UI:N); (4) impact on confidentiality, integrity, and availability (C:L, I:L, A:L). While the impact ratings are 'Low' individually, the combination of unauthenticated remote code execution on a network device capable of affecting downstream systems justifies the High severity rating.
Frequently asked questions
How can I check my GL-MT3000's firmware version?
Access the device's web administration interface (typically at 192.168.1.1) and navigate to System Settings or System > Advanced. The firmware version will be displayed in the overview section. Alternatively, SSH into the device and run 'cat /etc/os-release' or check the version file in /etc.
If I'm not using the RPC interface, am I still at risk?
The vulnerability is in the HTTP RPC endpoint itself, which is enabled by default on GL-MT3000 devices. Even if you are not actively using RPC calls, the endpoint is listening and can be exploited. The only way to be protected is to upgrade to version 4.7 or later, which disables the vulnerable code path.
Does upgrading to 4.7 require reconfiguring my device?
Upgrading to 4.7 is generally non-disruptive; most user configurations, network settings, and VPN profiles are preserved. However, any custom RPC methods or third-party extensions referencing nas-web.eject_disk will no longer work, as that method is no longer whitelisted. Test in a non-production environment first if you have custom integrations.
What should I do if I cannot upgrade immediately?
Restrict network access to the device using firewall rules, allowing HTTP/HTTPS only from trusted IP ranges or networks. Consider placing the device behind a VPN or bastion host. Disable remote management features if not required. Monitor logs for suspicious RPC activity. These are compensating controls, not substitutes for patching—prioritize the upgrade as soon as operationally feasible.
This analysis is provided for informational purposes to help security teams understand and respond to CVE-2026-11450. The information is based on vendor advisories and publicly disclosed vulnerability data as of the publication date. No exploit code or weaponized proof-of-concept is included. Organizations should independently verify firmware versions, test patches in non-production environments, and validate mitigations before deployment. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor information and recommends consulting official GL.iNet advisories and documentation for authoritative guidance. Patch availability and remediation timelines may vary by region and distribution channel. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11451HIGHGL.iNet GL-MT3000 Remote Command Injection in FTP Handler
- CVE-2026-11452HIGHGL.iNet GL-MT3000 Command Injection Vulnerability – Firmware Update Required
- CVE-2026-10060MEDIUMTRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23
- CVE-2026-10166MEDIUMEdimax BR-6478AC Command Injection – Authentication Required
- CVE-2026-10180MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Hardware Retirement Required
- CVE-2026-10182MEDIUMTRENDnet TEW-432BRP Command Injection – Unpatched EOL Device