Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12186

CVE-2026-12186: GL.iNet GL-MT3000 RCE Vulnerability

CVE-2026-12186 is a remote code execution flaw in GL.iNet GL-MT3000 routers that enables command injection via the Tor Proxy service. This article covers technical details, affected versions up to 4.4.5, and mitigation.

Published:

CVE-2026-12186 Overview

CVE-2026-12186 is a command injection vulnerability in the GL.iNet GL-MT3000 router firmware up to version 4.4.5. The flaw resides in the replace_country function within the /usr/lib/oui-httpd/rpc/tor library, part of the Tor Proxy Service Configuration Handler. Attackers can exploit this weakness remotely with low-privileged authenticated access to inject arbitrary operating system commands. A public exploit has been released, increasing the likelihood of opportunistic attacks against exposed devices. GL.iNet has released firmware version 4.7 (and later 4.8.1) to address the issue. The vulnerability is classified under CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component.

Critical Impact

Remote authenticated attackers can execute arbitrary commands on affected GL-MT3000 routers, leading to full device compromise and potential pivoting into adjacent networks.

Affected Products

  • GL.iNet GL-MT3000 firmware versions up to and including 4.4.5
  • Tor Proxy Service Configuration Handler component (/usr/lib/oui-httpd/rpc/tor)
  • replace_country function in the affected library

Discovery Timeline

  • 2026-06-14 - CVE-2026-12186 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-12186

Vulnerability Analysis

The vulnerability is a command injection flaw in the Tor Proxy Service Configuration Handler used by the GL-MT3000 router's OUI HTTPD RPC interface. The affected replace_country function processes configuration input intended to update the Tor exit node country selection. Because the function fails to neutralize shell metacharacters before passing the value to a downstream command interpreter, attackers can append arbitrary commands to the parameter. The injected commands execute in the context of the web service, which typically runs with elevated privileges on consumer routers.

Root Cause

The root cause is improper neutralization of special elements passed to a downstream component [CWE-74]. The replace_country function constructs a system command using attacker-controlled input from the RPC request without sanitization, shell escaping, or argument array execution. Standard mitigations such as parameter allowlisting or using execve-style invocations are absent, allowing characters like ;, |, `, and $() to break out of the intended command context.

Attack Vector

The attack is network-reachable through the router's management interface and requires low-privilege authentication. An attacker submits a crafted RPC request to the Tor configuration endpoint with a malicious country value containing shell metacharacters. The injected payload is executed by the underlying shell during configuration replacement. A public proof-of-concept describing the parameter and request flow is available in the GitHub IoT Configuration Guide and VulDB CVE-2026-12186 entry.

No verified exploit code is reproduced here. Refer to the linked references for the technical request structure used to trigger the replace_country command injection.

Detection Methods for CVE-2026-12186

Indicators of Compromise

  • Unexpected outbound connections originating from GL-MT3000 routers, particularly to unfamiliar IP addresses or Tor relays not previously used by the device.
  • Presence of unauthorized processes, cron entries, or modified startup scripts on the router that were not introduced by firmware updates.
  • Anomalous HTTP/RPC requests to the OUI HTTPD interface containing shell metacharacters (;, |, `, $()) in Tor configuration parameters.

Detection Strategies

  • Inspect web server and RPC access logs on the router for POST requests targeting the Tor configuration endpoint with suspicious country parameter values.
  • Monitor for spawning of shell utilities (sh, wget, curl, nc, busybox) by the oui-httpd process, which indicates command injection execution.
  • Compare running firmware versions against the fixed release (4.7 or later) using inventory tooling to identify exposed devices.

Monitoring Recommendations

  • Enable network flow logging at upstream gateways to surface unusual traffic patterns from edge router devices.
  • Restrict and audit administrative access to the router management plane, alerting on authentication events from unexpected source networks.
  • Track CVE feeds and the VulDB Vulnerability Details entry for updated exploit telemetry, including the current EPSS probability of 2.016%.

How to Mitigate CVE-2026-12186

Immediate Actions Required

  • Upgrade GL-MT3000 firmware to version 4.7 or later, with the latest release available via the GL-iNet Firmware Release channel.
  • Remove the device's management interface from the public internet and restrict access to trusted administrative networks.
  • Rotate administrative credentials after patching, since low-privileged accounts are sufficient to trigger the vulnerability.

Patch Information

GL.iNet released firmware version 4.7 to remediate the command injection in the replace_country function. The current production build is available at the GL-iNet Firmware Release URL. Administrators should validate firmware integrity and reboot the device after applying the update.

Workarounds

  • Disable the Tor proxy service on the router if the feature is not in active use, eliminating the vulnerable code path.
  • Block external access to the oui-httpd RPC interface using upstream firewall rules until the firmware update is applied.
  • Limit user accounts on the router to trusted administrators only, reducing the pool of identities that can reach the authenticated endpoint.
bash
# Example: restrict router management plane access at an upstream firewall
# Replace 192.0.2.10 with your trusted admin host and 10.0.0.1 with the router IP
iptables -A FORWARD -s 192.0.2.10 -d 10.0.0.1 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 10.0.0.1 -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.