CVE-2026-11505: GL.iNet Router Hard-coded Cryptographic Key Vulnerability (4.8.x)
GL.iNet routers across multiple models (A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000, XE3000) running firmware version 4.8.x contain a flaw in the glnassys component that exposes a hard-coded cryptographic key. An authenticated attacker with network access can exploit this to gain unauthorized cryptographic capabilities. The vulnerability requires significant technical skill and specific conditions to exploit, placing it in the medium-risk category. A firmware upgrade to version 4.9.0 resolves the issue.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.0 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-320, CWE-321
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A flaw has been found in GL.iNet A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000 and XE3000 4.8.x. This affects an unknown function of the component glnassys. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. Upgrading to version 4.9.0 mitigates this issue. Upgrading the affected component is advised.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11505 affects the glnassys component in GL.iNet's 4.8.x firmware branch across eight router models. The vulnerability stems from the use of hard-coded cryptographic keys (CWE-320: Use of Hard-coded Cryptographic Key; CWE-321: Use of Hard-coded Cryptographic Key in PRNG). The flaw requires authenticated network access (PR:L), a high level of technical complexity (AC:H), and yields limited impact: confidentiality, integrity, and availability are each partially compromised (C:L/I:L/A:L). The CVSS v3.1 score of 5.0 reflects the authentication barrier and high complexity requirements that make practical exploitation difficult. No public exploit code or active exploitation has been reported.
Business impact
Organizations relying on GL.iNet routers for network perimeter security or VPN gateway functions face a containable but real risk. Compromise of the hard-coded key could allow an authenticated attacker to decrypt or forge cryptographic operations tied to device authentication, potentially enabling session hijacking, credential impersonation, or unauthorized access to router management functions. The impact is bounded by the authentication requirement, limiting exposure to users or administrators with network credentials. However, if an attacker gains initial access via a separate vulnerability or compromise, this flaw becomes a stepping stone to deeper control.
Affected systems
Eight GL.iNet router models are affected: A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000, and XE3000. The vulnerability is specific to firmware version 4.8.x. Devices running 4.9.0 or later are not affected. Organizations should inventory deployed GL.iNet routers and determine their current firmware versions to establish scope.
Exploitability
While the vulnerability is remotely exploitable over the network, practical exploitation is difficult. The attack requires an authenticated user with valid credentials and high technical complexity to manipulate the glnassys component and leverage the hard-coded key. This is not a one-click or unauthenticated attack; it demands specialized knowledge of the device's cryptographic operations and the key's specific use case. No public proof-of-concept or active exploitation campaigns have been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Upgrade affected GL.iNet routers to firmware version 4.9.0 or later. This is the definitive remediation and addresses the root cause. Organizations should prioritize patching internet-facing or critical router deployments first. Verify firmware version via the device's web interface or SSH access before and after upgrade to confirm successful deployment.
Patch guidance
Deploy GL.iNet firmware version 4.9.0 or later on all affected models in your environment. Check GL.iNet's official support portal or vendor advisory for the download links and release notes specific to your router model. Test patches in a non-production environment first if feasible, particularly for routers handling VPN or critical network services. Establish a firmware baseline and monitoring process to prevent regression to 4.8.x versions.
Detection guidance
Audit deployed GL.iNet routers to identify firmware version 4.8.x instances. Monitor router logs and management consoles for unusual authentication attempts or failed login events that might signal attempted exploitation. Network segmentation can reduce the attack surface: restrict direct administrative access to routers from untrusted network segments. If your organization uses configuration management tools, ensure they flag GL.iNet devices running 4.8.x for compliance remediation.
Why prioritize this
Although classified as medium severity (CVSS 5.0), prioritization should account for the device's role in your infrastructure. Internet-facing or externally accessible GL.iNet routers warrant faster patching than those in isolated lab environments. The authentication requirement and high exploitation complexity reduce urgency compared to zero-click or unauthenticated flaws, but the flaw's potential to compromise cryptographic functions makes it strategically important if your router enforces security policies or handles sensitive traffic. Patch within 30–60 days for standard deployments; accelerate for critical or DMZ-facing instances.
Risk score, explained
The CVSS v3.1 score of 5.0 (MEDIUM) reflects a combination of factors: network accessibility (AV:N) provides broad attack potential, but the requirement for authenticated access (PR:L) and high attack complexity (AC:H) substantially reduce exploitability. The partial impact to confidentiality, integrity, and availability (C:L/I:L/A:L) limits blast radius. This is not a critical vulnerability requiring emergency patching, but it is legitimate and deserves prompt remediation, especially for routers handling security-sensitive functions.
Frequently asked questions
Which GL.iNet models are vulnerable?
Eight models are affected: A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000, and XE3000. Only those running firmware 4.8.x are vulnerable; 4.9.0 and later are patched.
What is a hard-coded cryptographic key and why is it a problem?
A hard-coded key is a cryptographic secret embedded directly into firmware or source code, the same for every device of that model. This means all routers share the same secret, making it impossible to ensure unique device identity or secure pairwise communication. An attacker who obtains or deduces the key can forge authentication, decrypt traffic, or impersonate the device.
Do I need to be connected to the internet to be exploited?
Yes, the attack vector is network-based (AV:N), so your router must have network connectivity. However, the attacker also requires valid credentials to the device (PR:L), meaning they need authentication first—either through a compromise elsewhere or admin access. Proper network segmentation and strong credentials reduce practical risk.
Is this vulnerability actively being exploited?
No. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and public exploit code has not been released. The high complexity and authentication requirement also make large-scale automated attacks unlikely.
This analysis is provided for informational and advisory purposes. SEC.co does not operate or maintain GL.iNet products. Verify all patch version numbers and compatibility against official GL.iNet documentation and vendor advisories before deployment. The risk assessment provided is general guidance; your organization's specific risk level depends on network architecture, device placement, authentication policies, and business criticality. Test patches in non-production environments before broad rollout. Consult with GL.iNet support or your network vendor for deployment guidance specific to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-50226MEDIUMHard-Coded AES Keys in AcerConnect OTA Enable Firmware Extraction
- CVE-2016-20064MEDIUMWP Vault 0.8.6.6 Arbitrary File Read via Directory Traversal
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11