CVE-2026-11449

MEDIUM

GL.iNet GL-MT3000 LuCI JSON-RPC rpc rpc_sys command injection

Title source: cna

Description

A security vulnerability has been detected in GL.iNet GL-MT3000 4.4.5. The impacted element is the function rpc_sys of the file /cgi-bin/luci/rpc of the component LuCI JSON-RPC Interface. Such manipulation leads to command injection. The attack may be performed from remote. Upgrading to version 4.8.1 is sufficient to resolve this issue. Upgrading the affected component is advised. The vendor confirms: "The issue discovered by the vulnerability researcher on older firmware versions(4.4.5) has actually been fixed and mitigated in the new version. According to the latest firmware fixes, by default, firmware versions after 4.7.13 do not install LuCI, so this vulnerability cannot be exploited."

References (6)

Core 6

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-369069 | GL.iNet GL-MT3000 LuCI JSON-RPC rpc rpc_sys command injection

https://vuldb.com/vuln/369069

Signature, Permissions Required signature permissions-required

VDB-369069 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/369069/cti

Third Party Advisory third-party-advisory

CVE-2026-11449 | CVE Analysis and Report

https://vuldb.com/cve/CVE-2026-11449

Third Party Advisory third-party-advisory

Submit #825385 | GL.iNet GL-MT3000 4.4.5 Command Injection

https://vuldb.com/submit/825385

Related related

https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/luci_rpc_sys_exec_rce

View Writeup ZIP pw:eip

Patch patch

https://fw.gl-inet.com/firmware/mt3000/release/mt3000-4.8.1-0819-1755615825.tar

Scores

CVSS v3 6.3

EPSS 0.0110

EPSS Percentile 61.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-74 CWE-77

Status published

Products (2)

GL.iNet/GL-MT3000 4.4.5

GL.iNet/GL-MT3000 4.8.1

Published Jun 07, 2026

Tracked Since Jun 07, 2026