CVE-2026-36356: MeiG Smart FORGE_SLT711 RCE Vulnerability

CVE-2026-36356 Overview

CVE-2026-36356 is an unauthenticated operating system (OS) command injection vulnerability in the GoAhead web server running on MeiG Smart FORGE_SLT711 devices. The flaw resides in the /action/SetRemoteAccessCfg endpoint and affects firmware version MDM9607.LE.1.0-00110-STD.PROD-1. Attackers can inject arbitrary shell commands without authentication, gaining full control over the underlying embedded Linux system. The weakness is tracked as CWE-78: Improper Neutralization of Special Elements used in an OS Command. A public proof-of-concept (PoC) is available on GitHub, lowering the barrier for exploitation against exposed devices.

Critical Impact

Remote unauthenticated attackers can execute arbitrary OS commands with the privileges of the GoAhead web server, leading to full device compromise of cellular IoT gateways.

Affected Products

• MeiG Smart FORGE_SLT711 cellular IoT device
• Firmware MDM9607.LE.1.0-00110-STD.PROD-1
• Embedded GoAhead web server exposing /action/SetRemoteAccessCfg

Discovery Timeline

• 2026-05-05 - CVE-2026-36356 published to the National Vulnerability Database (NVD)
• 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-36356

Vulnerability Analysis

The FORGE_SLT711 is a 4G LTE fixed wireless device built on the Qualcomm MDM9607 platform. It exposes a management interface served by GoAhead, a lightweight embedded web server commonly bundled in cellular gateways. The /action/SetRemoteAccessCfg handler accepts user-supplied parameters that configure remote access settings on the device. The handler passes attacker-controlled input directly into a shell command without sanitization or argument separation.

Because the endpoint enforces no authentication, any attacker with network reachability to the web management interface can invoke it. The PoC published on GitHub demonstrates how a single crafted HTTP request triggers command execution. Successful exploitation yields code execution under the same account that runs GoAhead, which on most embedded firmware images is root.

Root Cause

The root cause is improper neutralization of special elements used in an OS command [CWE-78]. Configuration values submitted to /action/SetRemoteAccessCfg are concatenated into a shell invocation rather than being passed as discrete arguments. Shell metacharacters such as ;, |, &&, and backticks are interpreted by the shell, allowing command chaining.

Attack Vector

Exploitation requires only network access to the device's HTTP management interface. The attacker sends a crafted HTTP request to the /action/SetRemoteAccessCfg endpoint, embedding shell metacharacters within a vulnerable parameter. The injected payload executes when the firmware processes the configuration update. No credentials, prior access, or user interaction are required. Devices exposed to the public internet, including misconfigured industrial deployments and home cellular gateways, are directly reachable. Refer to the public proof-of-concept for exact request structure.

Detection Methods for CVE-2026-36356

Indicators of Compromise

• HTTP POST or GET requests to /action/SetRemoteAccessCfg containing shell metacharacters such as ;, |, `, $(, or && in any parameter value.
• Outbound connections from the device to unknown hosts shortly after configuration requests, indicating reverse shell or downloader activity.
• Unexpected child processes spawned by the GoAhead webs binary, especially sh, wget, curl, busybox, or nc.
• New cron entries, modified /etc/init.d scripts, or unfamiliar binaries appearing in /tmp or /var on the device.

Detection Strategies

• Inspect web server access logs and upstream network sensors for requests targeting /action/SetRemoteAccessCfg with non-printable or shell-special characters.
• Deploy network intrusion detection signatures that match the PoC request pattern published in the GitHub PoC repository.
• Correlate device telemetry with threat intelligence feeds tracking IoT botnets that scan for GoAhead-based command injection.

Monitoring Recommendations

• Monitor north-south traffic to and from cellular IoT gateways for anomalous outbound connections to non-corporate destinations.
• Alert on any HTTP request to embedded device management endpoints originating from external networks.
• Track firmware integrity by comparing running configuration and binary hashes against a known-good baseline.

How to Mitigate CVE-2026-36356

Immediate Actions Required

• Remove FORGE_SLT711 web management interfaces from the public internet and place them behind a VPN or management VLAN.
• Block external access to TCP ports hosting the GoAhead service using upstream firewalls or carrier ACLs.
• Audit network logs for prior requests to /action/SetRemoteAccessCfg and treat matching devices as potentially compromised.
• Inventory all MeiG Smart FORGE_SLT711 devices and confirm firmware versions against the affected build MDM9607.LE.1.0-00110-STD.PROD-1.

Patch Information

No vendor advisory or fixed firmware version was listed in the NVD record at the time of publication. Customers should contact MeiG Smart through the vendor website and the FORGE SLT711 product page to request a patched firmware build. Until a fix is available, compensating controls described below are required.

Workarounds

• Restrict access to the device management interface to a small allowlist of administrative source IP addresses.
• Disable remote access configuration features on the device if the deployment does not require them.
• Place affected devices on isolated network segments with no route to sensitive corporate or operational technology assets.
• Replace internet-exposed FORGE_SLT711 units with vendor-supported alternatives where a patch cannot be obtained.

# Example upstream firewall rule limiting access to the device management port
# Replace 203.0.113.10 with the authorized administrator address
iptables -A FORWARD -p tcp -d <device_ip> --dport 80 -s 203.0.113.10 -j ACCEPT
iptables -A FORWARD -p tcp -d <device_ip> --dport 80 -j DROP