CVE-2026-12186

Vulnerability

GL.iNet GL-MT3000 firmware versions up to 4.4.5 are affected by a command injection vulnerability in the Tor Proxy Service Configuration Handler. The flaw resides in the replace_country function within the library /usr/lib/oui-httpd/rpc/tor. Insufficient sanitization of the countries array parameter allows an attacker to inject shell metacharacters that are later evaluated unsafely during the tor_on() execution flow [1].

Exploitation

An attacker must first authenticate to the router's web interface. After authentication, a crafted HTTP request can be sent to the /rpc/tor endpoint with a malicious countries parameter containing shell metacharacters. The exploit is publicly available as a Python script [1] that automates the process, requiring only network access to the device.

Impact

Successful exploitation results in arbitrary remote code execution with root privileges on the device [1]. This compromises the confidentiality, integrity, and availability of the router and any connected network.

Mitigation

The vendor has released firmware version 4.7 which addresses the issue [1]. Users are strongly recommended to upgrade to this version. No workarounds are documented, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.