CVE-2026-11447

Vulnerability

A command injection vulnerability exists in the iwinfo.scan ubus RPC method of GL.iNet GL-MT3000 devices up to version 4.4.5. The iwinfo.so component, specifically within the MTK backend's iwinfo_backend function, improperly handles the device argument. This argument is only validated as a string, allowing an attacker to inject malicious commands that are subsequently executed by the system() function [1].

Exploitation

An authenticated attacker can exploit this vulnerability remotely. The attacker needs to send a crafted POST request to the /rpc endpoint, calling the iwinfo scan ubus method with a specially formatted device parameter, such as "ra0; ; #". This payload bypasses validation and substring checks, leading to the execution of arbitrary commands within the sprintf and system calls in the MTK backend's scan function [1].

Impact

Successful exploitation of this vulnerability allows an attacker to achieve root command execution on the affected GL.iNet GL-MT3000 devices. This grants the attacker complete control over the device, enabling them to perform any action with root privileges, such as data exfiltration, device manipulation, or using the device as a pivot point for further network attacks.

Mitigation

GL.iNet recommends upgrading to version 4.7 or later to address this issue. Starting from version 4.7, the SDK includes global protection to intercept malicious injection. The vendor confirms that SDK protection was added in version 4.7. The exact release date for version 4.7 is not specified in the available references [1].