CVE-2026-11451 Overview
CVE-2026-11451 is a command injection vulnerability in the GL.iNet GL-MT3000 router running firmware version 4.4.5. The flaw resides in the snprintf function within the /cgi-bin/glc endpoint, specifically in the FTP Protocol Handler component. Attackers can manipulate the media_dir argument to inject operating system commands. The issue is exploitable remotely without authentication and maps to [CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)].
Critical Impact
Remote attackers can inject arbitrary commands through the media_dir parameter handled by the FTP configuration logic on GL-MT3000 firmware 4.4.5. The vendor reports that firmware 4.8.1 mitigates the reported payload patterns.
Affected Products
- GL.iNet GL-MT3000 firmware version 4.4.5
- FTP Protocol Handler component (/cgi-bin/glc)
- Affected interface: /NAS_API_SET_PROTO_CONFIG
Discovery Timeline
- 2026-06-07 - CVE-2026-11451 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-11451
Vulnerability Analysis
The vulnerability lives in the FTP Protocol Handler exposed through the /cgi-bin/glc CGI endpoint on GL.iNet GL-MT3000 devices. The handler constructs an FTP configuration string using snprintf and writes the result to /etc/vsftpd.conf. The media_dir parameter, supplied via the /NAS_API_SET_PROTO_CONFIG interface, is interpolated into the configuration without proper neutralization of shell metacharacters in firmware 4.4.5.
An attacker with network access to the device's management interface can submit a crafted media_dir value containing single quotes, semicolons, and comment characters. The injected sequence breaks out of the intended single-quoted context and appends additional shell commands. Because the attack vector is network-based and requires no authentication or user interaction, exposed devices face direct remote exploitation risk.
Root Cause
The root cause is improper input neutralization when building shell-bound configuration strings. Firmware 4.4.5 lacks an escape routine for single quotes in media_dir. The fix in firmware 4.8.1 introduces escape_single_quote() before writing media_dir into the FTP configuration command, neutralizing the quote-breakout primitive that the public proof-of-concept relies on.
Attack Vector
Exploitation requires reachable access to the router's web management interface and a request to the /NAS_API_SET_PROTO_CONFIG endpoint with a malicious media_dir value. The public proof-of-concept relies on closing a single quote, appending commands with a semicolon, and terminating the line with #. The vendor states that on firmware 4.8.1 the same payload patterns write into /etc/vsftpd.conf as inert configuration text and do not trigger shell command execution.
No verified exploitation code is reproduced here. Technical details and the original payload are documented in the GitHub PoC Repository and the VulDB CVE-2026-11451 entry.
Detection Methods for CVE-2026-11451
Indicators of Compromise
- Unexpected entries in /etc/vsftpd.conf containing shell metacharacters such as ', ;, or # in directory parameters.
- HTTP requests to /cgi-bin/glc or /NAS_API_SET_PROTO_CONFIG with abnormal media_dir values from untrusted source addresses.
- New or unexpected files created on the device that correspond to attacker marker files used in command injection probes.
- Unscheduled vsftpd restarts or child processes spawned by the FTP configuration workflow.
Detection Strategies
- Inspect web server and CGI logs on the router for POST requests to NAS protocol configuration endpoints carrying suspicious media_dir payloads.
- Monitor north-south traffic to router management interfaces for unauthenticated calls to administrative APIs from external networks.
- Baseline expected media_dir values and alert on deviations containing shell punctuation.
Monitoring Recommendations
- Forward router syslog and CGI access logs to a centralized SIEM for correlation and retention.
- Alert on management plane access originating from WAN-facing IP addresses where remote administration is not required.
- Track firmware version inventory across deployed GL.iNet devices to identify hosts still running 4.4.5.
How to Mitigate CVE-2026-11451
Immediate Actions Required
- Upgrade GL-MT3000 devices to firmware version 4.8.1 or later, which introduces escape_single_quote() neutralization for media_dir.
- Restrict access to the router's web administration interface to trusted management networks only.
- Disable remote (WAN-side) administration unless explicitly required, and require strong administrative credentials.
- Audit /etc/vsftpd.conf and FTP/NAS configuration for unexpected content prior to upgrade.
Patch Information
GL.iNet addresses the issue in GL-MT3000 firmware version 4.8.1. The fix escapes single quotes in the media_dir value before it is interpolated into the FTP configuration command, breaking the quote-closure technique used by the public proof-of-concept. Refer to the VulDB advisory for CVE-2026-11451 for vendor commentary and reproduction notes.
Workarounds
- Block external access to /cgi-bin/glc and /NAS_API_SET_PROTO_CONFIG at the network perimeter where firmware cannot be updated immediately.
- Disable the FTP/NAS feature if it is not in active use to remove the vulnerable code path.
- Place affected devices behind a VPN for administration and prevent direct WAN exposure of management services.
# Example: restrict router management access to a trusted subnet (illustrative)
iptables -A INPUT -p tcp --dport 80 -s 192.0.2.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 192.0.2.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

