CVE-2026-11406
Description
GL.iNet MT3000 devices are vulnerable to command injection via malicious OpenVPN configuration files, allowing remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GL.iNet MT3000 devices are vulnerable to command injection via malicious OpenVPN configuration files, allowing remote code execution.
Vulnerability
A vulnerability exists in GL.iNet MT3000 devices up to version 4.4.5, specifically within the ovpnclient.sh script of the OpenVPN Client Import Workflow. The issue stems from insufficient validation of uploaded OpenVPN configuration files, allowing attackers to inject malicious directives that are not properly filtered before being processed by OpenVPN as root [1].
Exploitation
An attacker with administrative credentials can exploit this vulnerability by uploading a crafted .ovpn configuration file via the /upload endpoint. The file content is not thoroughly validated. When the system later processes this configuration to start the OpenVPN client, a limited sed filter fails to remove dangerous directives. These directives, such as writepid, up, down, tls-verify, and client-connect, can then be executed with root privileges when OpenVPN is launched with --script-security 3 [1].
Impact
Successful exploitation allows an attacker to achieve arbitrary file creation on the system using directives like writepid, or to execute arbitrary commands with root privileges using directives like up, down, or tls-verify. This leads to a full compromise of the affected device [1].
Mitigation
GL.iNet has addressed this issue by implementing stricter checks on OpenVPN configuration files to prevent command injection attacks. Users should upgrade to version 4.9.0_beta3-1012-0513-1778656146 or later. The vendor confirms that malicious checks have been implemented to prevent attacks carried through malicious configuration files [1].
AI Insight generated on Jun 6, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The OpenVPN client import workflow does not sufficiently validate OpenVPN configuration files, allowing for command injection."
Attack vector
An attacker with administrative credentials can upload a malicious `.ovpn` configuration file via the `/upload` endpoint [ref_id=1]. The file content is not adequately validated for dangerous OpenVPN directives. When the imported configuration is later processed by `ovpnclient.sh`, a limited `sed` filter only removes four directives, leaving many others intact. Since the OpenVPN process is launched with `--script-security 3` as root, injected directives can lead to arbitrary file creation or command execution [ref_id=1].
Affected code
The vulnerability lies within the OpenVPN client import workflow, specifically involving the `ovpnclient.sh` script. The upload handler in `usr/share/gl-ngx/oui-upload.lua` permits file uploads to `/tmp/ovpn_upload/` without inspecting file content. The `ovpn-client.lua` validator also fails to check for dangerous directives. Finally, `ovpnclient.sh` applies a minimal `sed` filter before launching OpenVPN with root privileges [ref_id=1].
What the fix does
The vendor states that the issue has been addressed by implementing malicious checks on OpenVPN configuration files to prevent command injection attacks carried through malicious configuration files [ref_id=1]. This implies that the validation process for uploaded OpenVPN configuration files has been strengthened to detect and block dangerous directives.
Preconditions
- authAttacker must have administrative credentials.
- inputAttacker must be able to upload a crafted .ovpn configuration file.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.