Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11505

CVE-2026-11505: GL.iNet Router Info Disclosure Flaw

CVE-2026-11505 is an information disclosure vulnerability affecting GL.iNet routers including A1300, AX1800, and MT series. This article covers the technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-11505 Overview

CVE-2026-11505 is a hard-coded cryptographic key vulnerability [CWE-320] affecting multiple GL.iNet router models running firmware version 4.8.x. The flaw resides in the glnassys component, which contains a hard-coded default authentication token. An attacker leveraging this token can perform unauthorized command execution against affected devices over the network. Exploitation requires a high level of attack complexity and the vendor reports exploitability as difficult. GL.iNet has addressed the issue in firmware version 4.9.0.

Critical Impact

A remote attacker with low privileges can abuse the hard-coded token in glnassys to issue unauthorized commands on affected GL.iNet routers, though successful exploitation requires high attack complexity.

Affected Products

  • GL.iNet A1300, AX1800, AXT1800 firmware 4.8.x
  • GL.iNet MT2500, MT3000, MT6000 firmware 4.8.x
  • GL.iNet X3000 and XE3000 firmware 4.8.x

Discovery Timeline

  • 2026-06-08 - CVE-2026-11505 published to NVD
  • 2026-06-08 - Last updated in NVD database

Technical Details for CVE-2026-11505

Vulnerability Analysis

The vulnerability exists in the glnassys component shipped with GL.iNet firmware 4.8.x across multiple consumer and prosumer router models. The component ships with a hard-coded default authentication token embedded in the binary. Because the token is identical across deployments, any party who recovers it from one device can replay it against any other affected device.

The issue is classified under [CWE-320] (Key Management Errors) and enables unauthorized command execution against the NAS subsystem. The attack is reachable over the network and does not require user interaction, though the vendor characterizes practical exploitation as difficult. According to public references, the token grants command-execution capability within the gl-nas-sys service context.

Root Cause

The root cause is the embedding of a static authentication token in the glnassys binary instead of generating per-device credentials at provisioning time. Storing secrets in firmware violates secure key management practices because firmware images are publicly distributed and can be extracted and analyzed.

Attack Vector

An attacker on a network path to the router queries the glnassys service and presents the recovered token to authenticate. With the token accepted, the attacker invokes NAS commands that the service exposes. The vulnerability is described in detail in the GitHub CVE Issue Report published by GL.iNet.

No verified proof-of-concept code is publicly available. Refer to the linked advisory for the technical write-up of the token recovery and command-execution flow.

Detection Methods for CVE-2026-11505

Indicators of Compromise

  • Unexpected authentication events against the glnassys service originating from non-administrative hosts or external addresses.
  • Unscheduled command execution, file creation, or configuration changes on the router's NAS subsystem.
  • Outbound connections from the router to unfamiliar hosts following NAS service activity.

Detection Strategies

  • Inventory affected GL.iNet models and confirm firmware version. Any device running 4.8.x firmware should be treated as vulnerable until upgraded.
  • Inspect router system logs for authentications to glnassys from sources other than the local management interface.
  • Monitor network traffic to the router management ports for connections from untrusted network segments.

Monitoring Recommendations

  • Forward router syslog data to a centralized log collector and alert on glnassys authentication and command invocation events.
  • Baseline normal NAS service activity per device and alert on deviations in command frequency or source.
  • Track firmware versions across the router fleet so devices remaining on 4.8.x are flagged for upgrade.

How to Mitigate CVE-2026-11505

Immediate Actions Required

  • Upgrade affected GL.iNet devices to firmware version 4.9.0 or later, which removes the hard-coded token.
  • Restrict access to router management and NAS service ports to trusted administrative networks only.
  • Audit recent router logs for unexpected glnassys activity prior to upgrade.

Patch Information

GL.iNet has released firmware version 4.9.0 to remediate this issue. The AX1800 update image is available from the vendor at the GL.iNet Firmware Update location. Additional vulnerability tracking is available via VulDB CVE-2026-11505 and the VulDB Vulnerability Report.

Workarounds

  • Block external access to router administrative and NAS service interfaces via firewall rules or VLAN segmentation.
  • Disable the NAS feature on affected devices if it is not in active use.
  • Place affected routers behind a separate management network and require VPN access for administration until the firmware upgrade is completed.
bash
# Configuration example
# Verify installed firmware version on a GL.iNet device
cat /etc/glversion

# Apply the vendor-supplied 4.9.0 sysupgrade image (example for AX1800)
sysupgrade -v /tmp/openwrt-ipq60xx-glinet_ax1800-squashfs-sysupgrade.tar

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne