CVE-2026-12187

Vulnerability

A command injection vulnerability exists in the online firmware upgrade workflow of GL.iNet GL-MT3000 devices running firmware versions up to 4.4.5. The flaw resides in the /usr/bin/one_click_upgrade script, which is invoked by the upgrade.upgrade_online RPC handler. The handler accepts a user-controlled firmware URL via the POST /rpc endpoint and passes it unsanitized into a shell command using string.format and os.execute. No input validation or character filtering is applied to the URL parameter, allowing injection of shell metacharacters. [1]

Exploitation

An attacker must first obtain authenticated access to the device's web interface. The exploit sequence is: authenticate via POST /rpc to obtain a session ID, then call upgrade.upgrade_online with a crafted firmware URL containing shell metacharacters (e.g., $(command)). The URL is inserted directly into the command string /usr/bin/one_click_upgrade %s %s %s %s &, and command substitution executes the injected command with root privileges before the firmware upgrade proceeds. The exploit has been publicly disclosed. [1]

Impact

Successful exploitation grants the attacker arbitrary command execution as the root user on the device. This leads to full compromise: the attacker can read and write any file, install persistent malware, exfiltrate sensitive data, or pivot to other devices on the network. The firmware checksum verification fails after injection, so no actual firmware upgrade occurs, but the injected commands execute with full root privileges. [1]

Mitigation

The vendor has released a fixed version 4.7 that addresses this vulnerability. Users should upgrade to 4.7 or later immediately. No workaround is available for unpatched versions. The vendor responded promptly and released the fix in a professional manner. [1]