eastbaycyber

CVE-2026-11450: Remote Command Injection in GL.iNet GL-MT3000

CVE explainers 10 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-06-07
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-11450
CVSS score 7.3 High
Attack vector Remote
Auth required Unknown from available primary data; defenders should assume unauthenticated exposure is risky until verified otherwise
Patch status Fixed / mitigated in firmware 4.7

TL;DR - GL.iNet GL-MT3000 firmware 4.4.5 is vulnerable to remote command injection. - Upgrade affected devices to firmware 4.7 and review exposure of the /rpc endpoint. - A public PoC exists; in-the-wild exploitation is not confirmed.

What is CVE-2026-11450?

CVE-2026-11450 is a high-severity command injection vulnerability affecting the GL.iNet GL-MT3000 router. According to the NVD description, the issue was detected in firmware version 4.4.5 and involves the dlopen function in the library path /usr/lib/oui-httpd/rpc/, specifically within a Path Normalization Handler. The flaw can be triggered by manipulating the dev_name argument, resulting in command injection.

The practical security implication is straightforward: a remotely reachable control path in the device’s HTTP RPC interface can be abused to reach dangerous functionality and execute unintended commands. NVD states that the attack can be initiated remotely. That matters because these devices are often used at network edges, remote sites, temporary offices, and travel deployments where management interfaces may be reachable from untrusted segments.

The most important version facts that can be stated confidently from the available source material are narrow and specific. Firmware 4.4.5 is confirmed affected. Firmware 4.7 is the fixed or mitigated version. It would be tempting to generalize that all versions before 4.7 are vulnerable, but the available primary data does not explicitly confirm that broader range. For defenders, the safe assumption is to treat 4.4.5 as vulnerable, 4.7 as remediated, and any versions between those points as requiring direct vendor validation before trust is placed in them.

A further operational nuance is that the vendor-described fix appears to be more than input sanitization. The mitigation reportedly adds method-level validation at the HTTP /rpc layer and removes nas-web.eject_disk from the allowed method whitelist. In other words, the vendor’s remediation blocks the exploit chain by preventing direct access to a dangerous RPC method through the default endpoint.

Exploitation status and why it matters

A public PoC or research reference exists. The available material points to a GitHub repository under:

  • https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/nas_eject_disk_do1_glc_rce

That does not automatically mean broad weaponization, but it does increase risk. Public technical material lowers the barrier for copycat exploitation, internal red-team reproduction, and automated scanning by opportunistic actors. For defenders, the right conclusion is: this is no longer a purely theoretical issue.

At the same time, confirmed in-the-wild exploitation is not established from the available sources. The CVE is not listed in CISA KEV as of the stated research date, and no primary-source evidence was provided showing active exploitation campaigns. That means defenders should avoid overclaiming. The correct statement is: PoC exists, but exploitation in the wild is not currently confirmed.

That distinction matters for prioritization. A public PoC plus remote reachability usually warrants prompt patching, especially for internet-exposed appliances. Lack of KEV listing should not be read as a reason to defer indefinitely. KEV is a useful signal, not a complete inventory of all real-world exploitation. For branch-office routers, where compromise can yield footholds, traffic interception opportunities, or persistence, a command injection flaw should still rank high.

Because the full CVSS vector was not available in the retrieved record, fields such as authentication requirements and exact privileges required cannot be quoted authoritatively here. In the absence of that data, defenders should assume the worst reasonable case for exposed /rpc access and verify control-plane protections directly.

AnalystImpact · assess the risk

Who is affected?

The confirmed affected product is the GL.iNet GL-MT3000. From the source-backed data provided, the explicitly vulnerable firmware version is 4.4.5. The fixed version is 4.7. Those are the only version points that can be quoted with confidence without inventing unsupported ranges.

For asset owners, that means the first task is inventory, not speculation. If you operate GL-MT3000 units, identify which ones are on 4.4.5 immediately. If you are already on 4.7, the available evidence indicates that the vendor mitigation is present. If you are on some other release and do not have a vendor statement tying that release to this CVE, do not assume safety based on release recency alone. Validate against vendor release notes or test the behavior of the /rpc method exposure directly in a maintenance window.

This vulnerability is especially relevant for organizations that use compact travel or branch routers in lightly managed environments. These devices often sit outside the normal server patching lifecycle and may not be covered by enterprise vulnerability scanners. Managed service providers, SMBs with distributed sites, and IT teams that deploy GL.iNet gear for backup connectivity or temporary networking should treat this as an asset-discovery and configuration-review issue, not just a firmware-update issue.

If internet exposure exists for the device management plane, urgency increases. Even without confirmed active exploitation in the wild, a remotely exploitable command injection flaw with a public PoC is enough to justify accelerated remediation. If the management interface is only reachable internally, the risk is lower but still material, especially in environments where lateral movement from compromised endpoints is a realistic scenario.

Technical deep dive

The available technical description points to a command injection path involving dlopen in /usr/lib/oui-httpd/rpc/ and a Path Normalization Handler that mishandles the dev_name argument. From a defender’s perspective, the exact internal code path matters less than the architectural lesson: a user-controlled value appears to reach sensitive functionality in a context where shell metacharacters, path manipulation, or unsafe downstream command construction can produce arbitrary command execution.

The vendor-side mitigation is revealing. Rather than only describing input validation on dev_name, the fix reportedly introduces method-level validation and removes nas-web.eject_disk from the default /rpc whitelist. That suggests the exploit chain depended not only on dangerous input handling, but also on excessive exposure of an RPC method that should not have been callable through that endpoint in the first place. In security engineering terms, the patch appears to tighten both reachability and input-to-execution flow.

That pattern is common in embedded web interfaces: exploitable conditions often emerge from a combination of overexposed control functions and weak validation at argument boundaries. For defenders, this means future hardening should include not just patching this single CVE, but reviewing whether device administration services are exposed more broadly than required.

Technical Notes

Key source-backed facts

Affected product: GL.iNet GL-MT3000
Confirmed vulnerable version: 4.4.5
Fixed version: 4.7
Bug class: Command injection
Remote exploitation: Yes, according to NVD description
Trigger detail: manipulation of dev_name
Component path: /usr/lib/oui-httpd/rpc/
Method noted in vendor fix discussion: nas-web.eject_disk
ResponderRunbook · act now

Detection and investigation guidance

Start with the basics: identify GL-MT3000 devices, enumerate firmware versions, and assess whether the HTTP management or RPC interface is reachable from untrusted networks. If you find firmware 4.4.5, treat the asset as exposed to this CVE until it is upgraded or access is restricted. If the router is managed remotely, confirm whether access to /rpc is limited to a trusted admin network or VPN.

Next, review available web server, reverse proxy, firewall, and network telemetry for requests targeting /rpc, especially those referencing nas-web.eject_disk, unusual dev_name values, or malformed parameter sequences. The vendor mitigation note says that in 4.7, direct calls to that method through the default endpoint return Invalid params. That response can be useful both as a validation signal after patching and as a clue during retrospective investigation.

Detection will vary based on how much logging the device itself exposes. In many SMB and edge-router environments, the most useful telemetry may come from upstream firewalls, SPAN captures, or a reverse proxy if one sits in front of administrative access. If the device logs process execution, shell invocation, or RPC handler errors, inspect those records for evidence of unexpected command execution flowing from web requests.

Technical Notes

Example network and log hunting patterns

Look for HTTP requests to /rpc with references to the suspicious method name:

POST /rpc HTTP/1.1
Host: <router>
Content-Type: application/json

{"method":"nas-web.eject_disk","params":{"dev_name":"<suspicious input>"}}

Simple grep-style searches for exported logs or reverse-proxy records:

grep -R '/rpc' /var/log 2>/dev/null
grep -R 'nas-web.eject_disk' /var/log 2>/dev/null
grep -R 'Invalid params' /var/log 2>/dev/null

Example Splunk search for web logs:

index=network OR index=web
("/rpc" AND "nas-web.eject_disk")
OR ("/rpc" AND "dev_name")
OR ("Invalid params" AND "/rpc")

Example Sigma-style concept for proxy or web logs:

title: GL.iNet MT3000 Suspicious RPC Method Access
logsource:
  category: webserver
detection:
  sel1:
    cs-uri|contains: "/rpc"
  sel2:
    cs-uri-query|contains:
      - "nas-web.eject_disk"
      - "dev_name="
  condition: sel1 and sel2
level: high

If you capture packet data, a lightweight signature concept is to alert on JSON bodies containing both /rpc and nas-web.eject_disk. Exact wire signatures should be tuned locally to avoid false positives and account for encryption or proxy termination points.

Mitigation and patching

The primary remediation is to upgrade GL.iNet GL-MT3000 devices from firmware 4.4.5 to firmware 4.7. That is the fixed version explicitly identified in the available material. The vendor-confirmed behavior change is important: from version 4.7 onward, method-level validation is enabled at the HTTP /rpc layer, and nas-web.eject_disk is no longer in the whitelist of allowed methods. Direct calls should return Invalid params, which blocks the known exploit chain.

If you cannot patch immediately, reduce attack surface first. Restrict access to the management interface and /rpc endpoint to trusted administrative networks only. Remove any internet exposure, require VPN-based administration, and use firewall rules to limit source IPs. Because the exact authentication requirements are not confirmed in the available record, defenders should not assume that existing admin login controls are sufficient compensating controls.

A good mitigation plan has three parallel tracks: patch, isolate, validate. Patch vulnerable firmware. Isolate the management plane from untrusted networks. Then validate behavior after the change by confirming that direct invocation of the previously reachable method no longer works as it did before. Also review credentials and device integrity if there is any sign of prior probing or suspicious requests, because command injection raises the possibility of persistent changes.

Technical Notes

Upgrade and validation workflow

Exact GL.iNet upgrade steps can vary by deployment and whether devices are managed through the web UI or CLI. If you use the underlying OpenWrt-style shell for verification, start by checking the current version:

cat /etc/openwrt_release
uname -a

If your operational process uses the web interface, upload or select firmware 4.7 for the GL-MT3000 and complete the vendor-supported upgrade flow. If you manage images manually on a maintenance bench, follow vendor documentation for the specific hardware revision before issuing any flash command. Do not guess firmware paths or use generic OpenWrt flashing steps unless you have confirmed they apply to this device model and image format.

As a workaround when immediate upgrade is not possible, block access to the management endpoint from untrusted sources. Example upstream firewall controls:

# Example only: restrict HTTPS admin access to a trusted subnet
iptables -A INPUT -p tcp --dport 443 ! -s 10.0.10.0/24 -j DROP

# Example only: restrict HTTP admin access if enabled
iptables -A INPUT -p tcp --dport 80 ! -s 10.0.10.0/24 -j DROP

Post-upgrade, validate that the dangerous RPC path is no longer reachable through the default endpoint:

curl -sk https://<router>/rpc \
  -H 'Content-Type: application/json' \
  -d '{"method":"nas-web.eject_disk","params":{"dev_name":"test"}}'

Based on the vendor statement quoted in the NVD record, a remediated system should return behavior consistent with:

Invalid params

If the endpoint still accepts the method without that rejection behavior, treat the device as not fully remediated and re-check firmware level, image provenance, and exposure.

References

The primary references for this CVE are:

Source URL Notes
NVD https://nvd.nist.gov/vuln/detail/CVE-2026-11450 Primary source for description, affected version 4.4.5, and fixed version 4.7
GitHub https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/nas_eject_disk_do1_glc_rce Public PoC or research reference
VulDB https://vuldb.com/cve/CVE-2026-11450 Third-party catalog entry; direct retrieval was not available in the provided research context

For practitioners, the bottom line is clear: if you run GL.iNet GL-MT3000 firmware 4.4.5, move to 4.7 as soon as operationally feasible, restrict /rpc exposure, and review logs for requests targeting nas-web.eject_disk or suspicious dev_name values. Even without confirmed in-the-wild exploitation, the combination of remote attackability and a public PoC is enough to justify immediate action.

For further understanding, you may want to check our articles on what is an indicator of compromise and risk management in cybersecurity.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-06-07

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.