PatchSiren cyber security CVE debrief
CVE-2026-11452 GL.iNet CVE debrief
A command injection vulnerability has been discovered in GL.iNet GL-MT3000 up to 4.4.5. The vulnerability affects the SET_USER_PWD Handler in the /cgi-bin/glc file, specifically in the FUN_0042e200 function. The manipulation of the Password argument leads to command injection, allowing remote attackers to execute arbitrary commands. The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity. To address this issue, users are recommended to upgrade to version 4.8.1 or later.
- Vendor
- GL.iNet
- Product
- GL-MT3000
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-07
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-07
- Advisory updated
- 2026-06-08
Who should care
Administrators and users of GL.iNet GL-MT3000 devices running firmware up to 4.4.5 should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability is caused by improper handling of the Password argument in the SET_USER_PWD Handler of the /cgi-bin/glc file. This allows remote attackers to inject arbitrary commands. The vendor has addressed this issue in version 4.8.1, where the code now escapes single quotes in the password parameter and handles it inside a shell single-quote context, preventing command substitution.
Defensive priority
High
Recommended defensive actions
- Upgrade to version 4.8.1 or later to address the vulnerability.
- Review and monitor network traffic to detect potential exploitation attempts.
Evidence notes
The vulnerability was reported by an unknown source and is listed in the NVD database. The CVE record and NVD detail pages provide additional information about the vulnerability.
Official resources
CVE-2026-11452 was published on 2026-06-07T04:16:29.960Z and modified on 2026-06-08T14:57:14.757Z.