CVE-2026-12187 Overview
CVE-2026-12187 is a command injection vulnerability affecting GL.iNet GL-MT3000 routers running firmware versions up to 4.4.5. The flaw resides in the /usr/bin/one_click_upgrade binary, which is part of the Online Firmware Upgrade Handler component. Attackers with low-privilege network access can manipulate input passed to the handler to execute arbitrary operating system commands on the router. The vendor has acknowledged the issue and released firmware version 4.7 to address it. A public proof-of-concept has been disclosed, increasing the likelihood of exploitation attempts against exposed devices.
Critical Impact
Authenticated remote attackers can inject operating system commands through the firmware upgrade handler, gaining full control of the affected router and the network traffic it processes.
Affected Products
- GL.iNet GL-MT3000 firmware versions up to and including 4.4.5
- Online Firmware Upgrade Handler component (/usr/bin/one_click_upgrade)
- Fixed in GL.iNet GL-MT3000 firmware version 4.7 and later
Discovery Timeline
- 2026-06-14 - CVE-2026-12187 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-12187
Vulnerability Analysis
The vulnerability is classified under [CWE-74] as improper neutralization of special elements in output used by a downstream component, manifesting as command injection. The /usr/bin/one_click_upgrade binary on the GL-MT3000 device handles online firmware upgrade requests. It accepts attacker-controlled input and passes that input to a shell context without adequate sanitization. As a result, shell metacharacters in the request body are interpreted by the underlying operating system, allowing arbitrary command execution in the context of the upgrade handler process.
GL.iNet GL-MT3000 is a consumer and small-office wireless router running OpenWrt-derived firmware. Successful exploitation grants the attacker control over routing, DNS, and traffic inspection capabilities on the affected device.
Root Cause
The root cause is missing input neutralization within the online upgrade workflow. The handler constructs a shell command using attacker-supplied data such as a remote upgrade URL or filename and invokes it without using safe execution primitives or strict allowlist validation. Injected separators including ;, &&, |, and backticks are processed by the shell interpreter rather than treated as literal data.
Attack Vector
The attack is launched over the network against the router's management interface. The CVSS 4.0 vector indicates the attacker requires low privileges and no user interaction. An attacker who can reach the upgrade endpoint, either through an exposed management interface or from inside the LAN, can submit a crafted request containing shell metacharacters in the parameter consumed by one_click_upgrade. The injected commands execute with the privileges of the upgrade handler, typically root on embedded routers. Technical details and a proof-of-concept are documented in the GitHub IoT Vulnerability Repository and the VulDB entry for CVE-2026-12187.
// No verified exploit code is reproduced here.
// See the linked proof-of-concept repository for technical details.
Detection Methods for CVE-2026-12187
Indicators of Compromise
- HTTP requests to the GL-MT3000 management interface containing shell metacharacters such as ;, |, &&, $(), or backticks in upgrade URL or filename parameters.
- Unexpected outbound connections from the router to attacker-controlled hosts shortly after upgrade-related API calls.
- New or modified files in writable firmware directories, or unexpected crontab and init.d entries on the router.
- one_click_upgrade invocations correlated with non-firmware child processes such as sh, wget, curl, or nc.
Detection Strategies
- Inspect web and proxy logs for requests targeting the firmware upgrade endpoint with non-URL-safe characters in user-supplied fields.
- Monitor for anomalous process trees on the router where one_click_upgrade spawns shells or networking utilities.
- Compare current firmware version banners against the fixed 4.7 or later release to identify unpatched devices.
Monitoring Recommendations
- Forward router syslog, web server, and authentication events to a central log platform for correlation with network telemetry.
- Alert on administrative access to GL-MT3000 management interfaces from untrusted networks or unusual geolocations.
- Track EPSS scoring for CVE-2026-12187, which currently sits near the 78th percentile, and raise monitoring priority if exploit activity increases.
How to Mitigate CVE-2026-12187
Immediate Actions Required
- Upgrade affected GL-MT3000 devices to firmware version 4.7 or later, with version 4.8.1 available from the GL.iNet firmware release server.
- Restrict access to the router's management interface so that only trusted administrative hosts on the LAN can reach it.
- Disable remote (WAN-side) administration until patching is complete.
- Rotate administrator credentials after upgrading, since low-privilege accounts are sufficient to trigger the flaw.
Patch Information
GL.iNet has released firmware version 4.7 to remediate CVE-2026-12187, and subsequent releases including 4.8.1 retain the fix. Administrators should download the official image from the vendor and verify integrity before flashing. Reference the VulDB advisory for CVE-2026-12187 for vendor coordination details.
Workarounds
- Place the router's administrative interface behind a management VLAN or firewall rule that only permits trusted IP ranges.
- Block outbound connections from the router to unexpected destinations to limit second-stage payload retrieval if exploitation occurs.
- Audit existing accounts and disable any unused low-privilege users that could otherwise reach the upgrade handler.
# Example: restrict management interface to a trusted admin subnet
# Replace 192.0.2.0/24 with your administrative network
iptables -I INPUT -p tcp --dport 80 -s 192.0.2.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -s 192.0.2.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

