CVE-2026-11447 Overview
CVE-2026-11447 is a command injection vulnerability affecting GL.iNet GL-MT3000 routers running firmware versions up to 4.4.5. The flaw resides in the iwinfo_backend function within iwinfo.so, a component of the MTK Backend. Attackers can manipulate the device argument to inject arbitrary operating system commands. The vulnerability is remotely reachable and a public exploit has been released. The vendor has confirmed the issue and added global injection protection starting in SDK version 4.7.
Critical Impact
Authenticated network attackers can inject operating system commands through the device parameter of the iwinfo_backend function, leading to arbitrary command execution on affected GL-MT3000 routers.
Affected Products
- GL.iNet GL-MT3000 firmware versions up to and including 4.4.5
- iwinfo.so library within the MTK Backend component
- Devices running SDK versions earlier than 4.7
Discovery Timeline
- 2026-06-07 - CVE-2026-11447 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-11447
Vulnerability Analysis
The vulnerability is classified under [CWE-74] as improper neutralization of special elements in output used by a downstream component. The flaw lives in the iwinfo_backend function exposed through the MTK Backend iwinfo.so library on GL.iNet GL-MT3000 devices. This function accepts a device argument that is passed to an underlying shell or system command without sufficient sanitization. A network-reachable attacker holding low-privilege credentials can submit a crafted device value containing shell metacharacters. The injected payload executes in the context of the backend process. EPSS data reports a probability of 1.077% with a percentile of 78.224, indicating measurable exploitation interest.
Root Cause
The root cause is missing input neutralization in iwinfo_backend. User-controlled data flows from a ubus-exposed interface into a command construction routine. The implementation concatenates the device parameter into a command string rather than passing it as an argument array, allowing shell metacharacters such as ;, |, and backticks to terminate the intended command and start a new one.
Attack Vector
The attack is delivered over the network through the router's management surface, which exposes the affected ubus method. An attacker with low-privilege access invokes the iwinfo scan call and supplies a malicious device value. Because the public proof-of-concept is available in the GitHub PoC Repository, exploitation tooling is readily reproducible.
No verified exploitation code is reproduced here. Technical specifics are documented in the VulDB Vulnerability Report and the linked PoC repository.
Detection Methods for CVE-2026-11447
Indicators of Compromise
- Unexpected child processes spawned by the iwinfo or ubus daemons on GL-MT3000 devices.
- ubus calls invoking iwinfo with device values containing shell metacharacters such as ;, &, |, $(), or backticks.
- Outbound connections from the router to unfamiliar hosts shortly after wireless scan requests.
Detection Strategies
- Inspect router system logs and ubusd traces for malformed device arguments passed to iwinfo scan operations.
- Monitor for non-standard processes executed by the user account running the MTK backend.
- Apply signature-based network detection for ubus RPC requests targeting iwinfo_scan with injection patterns.
Monitoring Recommendations
- Centralize syslog from GL-MT3000 routers to a SIEM and alert on shell-metacharacter patterns in iwinfo parameters.
- Track firmware versions across the fleet and flag any device still on 4.4.5 or earlier.
- Baseline normal ubus call frequency and alert on anomalous spikes that may indicate exploitation attempts.
How to Mitigate CVE-2026-11447
Immediate Actions Required
- Upgrade affected GL-MT3000 devices to firmware version 4.7 or later, which introduces global protection against malicious injection in the SDK.
- Restrict management plane access to trusted administrative networks and disable remote administration where not required.
- Rotate credentials on any device that may have processed untrusted ubus requests.
Patch Information
The vendor confirms that starting from version 4.7, the SDK adds global protection to intercept malicious injection. Administrators should apply this firmware update on every affected GL-MT3000 device. Patch and advisory details are tracked in the VulDB CVE Listing.
Workarounds
- Place affected routers behind a firewall that blocks untrusted access to the web and ubus management interfaces.
- Limit ubus access to authenticated administrative accounts and remove any low-privilege accounts that are not strictly necessary.
- Disable wireless scan features exposed through ubus until firmware 4.7 or later is installed.
# Configuration example: restrict management access at the firewall level
uci set firewall.@zone[0].input='DROP'
uci add_list firewall.@zone[0].network='lan'
uci commit firewall
/etc/init.d/firewall restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
