CVE-2026-11505 GL.iNet CVE debrief

Who should care

Administrators and users of GL.iNet A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000, and XE3000 devices running firmware version 4.8.x should be aware of this vulnerability and take steps to upgrade to version 4.9.0.

Technical summary

The vulnerability (CVE-2026-11505) is caused by a flaw in the glnassys component of GL.iNet devices running firmware 4.8.x. It allows for the use of a hard-coded cryptographic key, which could be exploited remotely. The attack requires a high level of complexity and is considered difficult to execute. The CVSS:4.0 vector is AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Low

Recommended defensive actions

• Upgrade affected GL.iNet devices to firmware version 4.9.0.

Evidence notes

The CVE-2026-11505 record was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-11505) and details are also available on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-11505).

Official resources