CVE-2026-11449 Overview
CVE-2026-11449 is a command injection vulnerability affecting GL.iNet GL-MT3000 firmware version 4.4.5. The flaw resides in the rpc_sys function of /cgi-bin/luci/rpc, part of the LuCI JSON-RPC interface. An authenticated remote attacker can manipulate input to inject arbitrary operating system commands on the affected router. The vendor has confirmed the issue is fixed in firmware version 4.8.1. According to GL.iNet, firmware releases after 4.7.13 do not install LuCI by default, which removes the vulnerable component from the attack surface. This vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
Remote authenticated attackers can execute arbitrary commands on affected GL-MT3000 routers running firmware 4.4.5, potentially leading to full device compromise.
Affected Products
- GL.iNet GL-MT3000 firmware version 4.4.5
- LuCI JSON-RPC Interface component
- Versions prior to 4.8.1 with LuCI installed (firmware ≤ 4.7.13)
Discovery Timeline
- 2026-06-07 - CVE-2026-11449 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-11449
Vulnerability Analysis
The vulnerability exists in the rpc_sys handler within the LuCI JSON-RPC interface exposed at /cgi-bin/luci/rpc. LuCI is the web interface framework used by OpenWrt-based devices, including GL.iNet routers. The rpc_sys endpoint accepts JSON-RPC requests intended to execute system management functions, but it fails to properly sanitize user-supplied parameters before passing them to system shell execution.
Attackers with valid credentials can craft JSON-RPC requests that embed shell metacharacters into parameters processed by rpc_sys. The injected payload executes with the privileges of the LuCI process, typically root on embedded router platforms. A public proof-of-concept is available in a GitHub PoC Repository.
Root Cause
The rpc_sys function passes attacker-controlled JSON-RPC arguments to a shell execution primitive without neutralizing metacharacters such as ;, |, &, and backticks. This represents a classic [CWE-74] injection weakness where untrusted input flows into a downstream interpreter context.
Attack Vector
Exploitation requires network reachability to the router's web interface and a valid low-privilege LuCI account. The attacker sends a crafted HTTP POST request to /cgi-bin/luci/rpc invoking the sys namespace with a malicious payload. The injected commands execute on the underlying Linux operating system. The vulnerability cannot be exploited on firmware after 4.7.13 because LuCI is no longer installed by default on those builds. No verified exploitation in the wild has been reported, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-11449
Indicators of Compromise
- HTTP POST requests to /cgi-bin/luci/rpc?auth=* containing shell metacharacters (;, |, `, $()) within JSON-RPC params fields
- Unexpected child processes spawned by the uhttpd or luci parent process on the router
- Outbound connections from the router to attacker-controlled infrastructure following LuCI authentication events
- Modifications to /etc/config/, /etc/passwd, or persistence in /etc/rc.local on affected devices
Detection Strategies
- Inspect HTTP request bodies destined for /cgi-bin/luci/rpc for JSON payloads invoking the sys namespace with suspicious argument content
- Correlate authenticated LuCI sessions with anomalous outbound traffic patterns from router management interfaces
- Monitor router syslog for luci process spawning shells (sh, ash, busybox) outside of routine administrative tasks
Monitoring Recommendations
- Forward router syslog and authentication logs to a central log management platform for retention and analysis
- Alert on any LuCI JSON-RPC traffic originating from outside trusted management network segments
- Track firmware version inventory across deployed GL-MT3000 units to identify devices still running 4.4.5
How to Mitigate CVE-2026-11449
Immediate Actions Required
- Upgrade affected GL-MT3000 devices to firmware version 4.8.1 or later using the official GL.iNet Firmware Release
- Restrict access to the router web administration interface to trusted management VLANs only
- Rotate all LuCI administrator credentials after upgrading, particularly on devices that were exposed to untrusted networks
- Audit the device for signs of prior compromise, including unauthorized cron jobs, modified configuration files, and unknown SSH keys
Patch Information
GL.iNet has released firmware version 4.8.1 for the GL-MT3000, which addresses CVE-2026-11449. Firmware versions after 4.7.13 do not install LuCI by default, eliminating the vulnerable component. Administrators should verify the post-upgrade build no longer ships LuCI or, if retained, includes the patched rpc_sys handler. Additional details are available in the VulDB CVE-2026-11449 advisory.
Workarounds
- Remove or disable the LuCI package on devices that cannot be immediately upgraded by uninstalling luci and related RPC modules via opkg
- Block external access to TCP ports 80 and 443 on the router WAN interface using firewall rules
- Limit LuCI accounts to the minimum required and enforce strong, unique passwords for any remaining administrative users
# Configuration example: disable LuCI RPC access on the WAN interface
uci add firewall rule
uci set firewall.@rule[-1].name='Block-LuCI-WAN'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='80 443'
uci set firewall.@rule[-1].target='REJECT'
uci commit firewall
/etc/init.d/firewall restart
# Optional: remove the vulnerable LuCI package entirely
opkg remove luci luci-mod-rpc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

