CVE-2026-11449
Description
GL.iNet GL-MT3000 firmware 4.4.5 has a command injection vulnerability in the LuCI JSON-RPC interface, allowing authenticated remote attackers to execute arbitrary commands as root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GL.iNet GL-MT3000 firmware 4.4.5 has a command injection vulnerability in the LuCI JSON-RPC interface, allowing authenticated remote attackers to execute arbitrary commands as root.
Vulnerability
A command injection vulnerability exists in the LuCI JSON-RPC interface of GL.iNet GL-MT3000 devices running firmware version 4.4.5. The issue lies within the rpc_sys function in /cgi-bin/luci/rpc, which allows the luci.sys.exec function to be called without proper sanitization or method whitelisting, enabling arbitrary command execution.
Exploitation
An attacker with root credentials can exploit this vulnerability by sending a specially crafted POST request to the /cgi-bin/luci/rpc/sys endpoint. After authenticating using a valid root password, the attacker can invoke the exec method with a desired command, which will be executed on the device. The output of the command is returned directly in the JSON-RPC response.
Impact
Successful exploitation allows an authenticated remote attacker to execute arbitrary shell commands with root privileges on the affected GL.iNet GL-MT3000 device. This could lead to a complete compromise of the device, including data theft, modification, or disruption of services.
Mitigation
GL.iNet has fixed this vulnerability in newer firmware versions. Firmware versions after 4.7.13 do not install LuCI by default, mitigating the risk. Users are advised to upgrade to firmware version 4.8.1 or later. The vendor confirms that versions after 4.7.13 are not affected. [1]
AI Insight generated on Jun 7, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The LuCI JSON-RPC interface allows unauthenticated or improperly authenticated users to execute arbitrary commands by calling the `sys.exec` function without proper sanitization or method whitelisting."
Attack vector
An attacker can remotely trigger this vulnerability by sending a crafted JSON-RPC request to the `/cgi-bin/luci/rpc/sys` endpoint. The request must first authenticate to the `/cgi-bin/luci/rpc/auth` endpoint, which does not require a prior session. Once authenticated, the attacker can call the `exec` method with arbitrary shell commands, which are then executed as root on the system. The output of the command is returned directly in the JSON-RPC response [ref_id=1].
Affected code
The vulnerability resides in the LuCI JSON-RPC interface, specifically within the `rpc_sys` function in `/usr/lib/lua/luci/controller/rpc.lua`. This function clones the entire `luci.sys` module and passes it to `jsonrpc.handle`, which uses reflective lookup (`rawget`) to dispatch methods. The `luci.sys.exec` function, aliased to `luci.util.exec` in `/usr/lib/lua/luci/sys.lua`, directly calls `io.popen` with unsanitized user input [ref_id=1].
What the fix does
The vendor states that firmware versions after 4.7.13 no longer install the LuCI component by default, which mitigates this vulnerability. For versions where LuCI is present, upgrading to version 4.8.1 is recommended. The advisory does not provide specific patch details but indicates that the issue has been fixed and mitigated in newer versions [ref_id=1].
Preconditions
- authThe attacker must have valid root credentials to authenticate to the RPC interface.
- networkThe attacker must be able to reach the device over the network.
- configThe device must be running a vulnerable version of the firmware (e.g., 4.4.5) and have the LuCI component installed and accessible via `/cgi-bin/luci/rpc`.
Reproduction
POST /cgi-bin/luci/rpc/auth {"method":"login", "params":["root","<password>"]}
POST /cgi-bin/luci/rpc/sys?auth=<sid> {"method":"exec", "params":["<command>"]} [ref_id=1]
Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.