CVE-2026-11505

Vulnerability

A flaw exists in the glnassys component of GL.iNet devices including A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000, and XE3000 running firmware version 4.8.x. This vulnerability involves the use of a hard-coded default authentication token, which can be exploited to call network storage related interfaces [1].

Exploitation

An attacker can remotely exploit this vulnerability by leveraging the hard-coded default token. This token allows unauthorized access to network storage related interfaces, enabling malicious attacks such as command execution. The attack requires a high level of complexity and is considered difficult to exploit [1].

Impact

Successful exploitation allows an attacker to use the default tokens to call any network storage related interface. This can lead to unauthorized access and command execution on the affected devices, compromising the system's integrity and confidentiality [1].

Mitigation

GL.iNet has released firmware version 4.9.x, which mitigates this issue for all affected products, including MT6000, A1300, AX1800, AXT1800, MT2500, MT3000, X3000, and XE3000. Upgrading to version 4.9.0 or later is advised [1].