HIGH 7.3

CVE-2026-11451: GL.iNet GL-MT3000 Remote Command Injection in FTP Handler

GL.iNet's GL-MT3000 router firmware version 4.4.5 contains a command injection vulnerability in its FTP configuration handler. An attacker can remotely manipulate the media_dir parameter to inject and execute arbitrary shell commands without authentication. The vulnerability has been patched in firmware version 4.8.1, where the vendor implemented input escaping to neutralize quote-based command injection payloads.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-77
Affected products
0 configuration(s)
Published / Modified
2026-06-07 / 2026-06-17

NVD description (verbatim)

A flaw has been found in GL.iNet GL-MT3000 4.4.5. This impacts the function snprintf of the file /cgi-bin/glc of the component FTP Protocol Handler. Executing a manipulation of the argument media_dir can lead to command injection. It is possible to launch the attack remotely. Upgrading to version 4.8.1 will fix this issue. You should upgrade the affected component. The vendor explains: "In version 4.8.1, before writing media_dir to the FTP configuration command, the code escapes single quotes using escape_single_quote(). The payloads in the report—which rely on closing a single quote, appending commands with a semicolon, and commenting out the tail with #—cannot escape execution under the current code path. We also verified this on a GL‑MT3000 device running firmware version 4.8.1 using similar payloads calling the /NAS_API_SET_PROTO_CONFIG interface. Although the interface returned success, the marker file intended to prove command execution was not created; the payload was written into /etc/vsftpd.conf only as ordinary configuration content and did not trigger any shell command execution. Therefore, with the current firmware version and default runtime environment, we could not reproduce the claimed “unauthorized command injection in set_proto_config”."

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11451 is a command injection flaw in the GL-MT3000's /cgi-bin/glc endpoint, specifically within the FTP Protocol Handler component's snprintf call. The vulnerability stems from insufficient input validation on the media_dir argument, allowing an unauthenticated attacker to break out of a configuration string context using single-quote closure and command separator syntax (e.g., '; command #'). The attack surface is the HTTP-based CGI interface, making it accessible over the network. The vendor's fix in 4.8.1 introduces the escape_single_quote() function to neutralize shell metacharacters before writing the media_dir value into the vsftpd.conf configuration file. Testing by the vendor confirmed that payloads effective against 4.4.5 fail to execute code under 4.8.1's sanitization logic.

Business impact

This vulnerability enables unauthenticated remote command execution on affected GL-MT3000 devices, potentially granting attackers complete control over the router. An attacker could use this access to pivot into the local network, exfiltrate traffic, modify network policies, disrupt service availability, or use the device as a launching point for further attacks. Organizations relying on GL-MT3000 for network perimeter or NAS functionality face significant operational and data confidentiality risk if devices remain unpatched.

Affected systems

GL.iNet GL-MT3000 running firmware version 4.4.5 is confirmed vulnerable. Devices running firmware version 4.8.1 or later are not affected. Organizations should audit their deployed GL-MT3000 fleet to determine current firmware versions and identify devices still on 4.4.5 or other intermediate versions prior to 4.8.1.

Exploitability

Exploitability is high. The vulnerability requires no authentication, no user interaction, and no complex network conditions—an attacker on the internet can trigger it by sending a crafted HTTP request to the /cgi-bin/glc endpoint with a malicious media_dir payload. No special privileges or system access are needed to launch the attack. The CVSS 3.1 score of 7.3 (HIGH) reflects the remote, unauthenticated nature and the impact scope (confidentiality, integrity, and availability).

Remediation

The definitive remediation is to upgrade affected GL-MT3000 devices to firmware version 4.8.1 or later. Organizations unable to upgrade immediately should consider network-level mitigations: restrict access to the GL-MT3000's management interface to trusted IP addresses, place the device behind a firewall with strict ingress rules, or disable the FTP protocol handler if it is not required for operations. Verify that upgrades are completed across the entire fleet and establish a process to monitor for future firmware updates from GL.iNet.

Patch guidance

Download and apply firmware version 4.8.1 or later from GL.iNet's official support channels. Before deploying in production, test the upgrade on a non-critical device or in a lab environment to confirm compatibility with your network configuration and any custom settings. The patch is straightforward to apply and does not require special prerequisites; follow GL.iNet's standard firmware update procedure. After upgrade, verify that the device reports firmware version 4.8.1 or higher via the device's web interface or CLI.

Detection guidance

Monitor HTTP access logs to the /cgi-bin/glc endpoint for unusual activity, particularly requests containing shell metacharacters (single quotes, semicolons, pipes, backticks) in the media_dir parameter. Network intrusion detection systems should be tuned to flag HTTP requests with suspicious command injection patterns directed at GL-MT3000 devices. Endpoint detection and response (EDR) tools on systems with network visibility to the router should alert on unexpected process execution spawned by the FTP or HTTP service. Conduct a firmware inventory of all deployed GL-MT3000 units to identify those on vulnerable versions.

Why prioritize this

This vulnerability should be treated as a critical priority. It allows unauthenticated remote code execution with no exploitation complexity on a network infrastructure device. The router's position in the network architecture makes it a high-value target for lateral movement, and compromise could go undetected if monitoring is inadequate. The fix is available and straightforward to deploy, making remediation feasible without long-term operational burden. Any GL-MT3000 device on version 4.4.5 exposed to untrusted networks should be patched immediately.

Risk score, explained

The CVSS 3.1 score of 7.3 (HIGH) reflects: (1) Network-based attack vector with no authentication required, (2) low attack complexity, (3) impact to confidentiality (attacker can read router and network data), integrity (attacker can modify configuration and inject commands), and availability (attacker can disrupt or crash services). The scope is unchanged (the router itself is the impacted resource). The score appropriately captures the severity of unauthenticated RCE on infrastructure hardware, though organizations with this device should treat it as functionally critical given its network role.

Frequently asked questions

Does this vulnerability require authentication to exploit?

No. The vulnerability can be exploited by any unauthenticated attacker on the network or the internet who can reach the GL-MT3000's /cgi-bin/glc endpoint. No credentials or prior system access are required.

If we have upgraded to 4.8.1, are we protected?

Yes. GL.iNet's testing confirmed that the command injection payloads that succeed on 4.4.5 do not execute code under 4.8.1. The escape_single_quote() function neutralizes the attack technique. However, verify that all devices in your environment have been upgraded, as partial deployments leave some systems at risk.

Can we mitigate this without upgrading?

Temporary mitigations include restricting network access to the GL-MT3000's management interface (e.g., firewall rules to allow only trusted IPs), disabling the FTP protocol handler if it is not in use, and placing the device behind a strict ingress firewall. These reduce risk but do not eliminate the vulnerability; upgrading to 4.8.1 is the long-term solution.

How can we detect if a GL-MT3000 has been compromised by this vulnerability?

Monitor for unexpected processes spawned by the FTP service, unusual outbound connections from the router, or modification of system files (e.g., /etc/vsftpd.conf). Check HTTP access logs for requests to /cgi-bin/glc with suspicious characters or patterns. A full forensic analysis would require accessing the device's logs and filesystem, which may be limited depending on your access model.

This analysis is based on the CVE record and vendor advisory published as of the modification date shown. While we have made efforts to ensure accuracy, security vulnerabilities and vendor responses evolve. Always verify patch availability and compatibility with your specific deployment before applying updates. This document does not constitute legal advice and is provided for informational purposes. Organizations should conduct their own risk assessments and testing in non-production environments. SEC.co makes no warranty regarding the completeness or timeliness of this information. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).