CVE-2026-11449 - Vulnerability Details

- GL.iNet GL-MT3000 LuCI JSON-RPC rpc rpc_sys command injection

Description

A security vulnerability has been detected in GL.iNet GL-MT3000 4.4.5. The impacted element is the function rpc_sys of the file /cgi-bin/luci/rpc of the component LuCI JSON-RPC Interface. Such manipulation leads to command injection. The attack may be performed from remote. Upgrading to version 4.8.1 is sufficient to resolve this issue. Upgrading the affected component is advised. The vendor confirms: "The issue discovered by the vulnerability researcher on older firmware versions(4.4.5) has actually been fixed and mitigated in the new version. According to the latest firmware fixes, by default, firmware versions after 4.7.13 do not install LuCI, so this vulnerability cannot be exploited."

Published: 2026-06-07

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a command injection flaw in LuCI JSON‑RPC’s rpc_sys function, exposing a remote user to the ability to execute arbitrary operating‑system commands on the GL‑iNet GL‑MT3000 router. This can lead to full system compromise, unauthorized data exfiltration or denial of service, and compromise of the device’s confidentiality, integrity and availability. The addressable data in the rpc_sys input is not sanitized, allowing injection of shell commands.

Affected Systems

GL‑iNet GL‑MT3000 routers running firmware 4.4.5 or other earlier releases that include the LuCI web interface. Firmware versions 4.7.13 and newer no longer install LuCI by default, so the vulnerability is not present in those builds. Consequently, only systems with LuCI enabled on older firmware are affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity. No EPSS data is available and the flaw is not listed in the CISA KEV catalog. The attack can be performed from a remote network with access to the RPC endpoint; it requires no local privileges. Because the flaw is resolved in version 4.8.1 and newer firmware blocks the vulnerable component, the risk to devices that are already updated is low.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GL.iNet

GL-MT3000

affected

Version	Status	Constraints
`4.4.5`	affected	—
`4.8.1`	unaffected	—

No data.

Vendor Product Confidence Versions

Gl-inet

Gl-mt3000

100%

Version	Status	Scheme	Platform
`4.4.5`	affected	semver	—
`4.8.1`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the router to firmware 4.8.1 or a newer release that removes LuCI, thereby eliminating the rpc_sys vulnerability.
If an upgrade is not possible immediately, block or disable access to the LuCI JSON‑RPC endpoint (for example, by firewall rules or disabling the rpc_sys function in configuration).
Apply network segmentation or firewall restrictions to limit remote access to the router’s management interfaces, reducing the opportunity for an attacker to reach the vulnerable RPC call.

Generated by OpenCVE AI on June 7, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://fw.gl-inet.com/firmware/mt3000/release/mt3000-4.8.1-0819-1755615825.tar
https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/luci_rpc_sys_exec_rce
https://vuldb.com/cve/CVE-2026-11449
https://vuldb.com/submit/825385
https://vuldb.com/vuln/369069
https://vuldb.com/vuln/369069/cti

History

Sun, 07 Jun 2026 03:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gl-inet gl-mt3000
Vendors & Products		Gl-inet gl-mt3000

Sun, 07 Jun 2026 02:45:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in GL.iNet GL-MT3000 4.4.5. The impacted element is the function rpc_sys of the file /cgi-bin/luci/rpc of the component LuCI JSON-RPC Interface. Such manipulation leads to command injection. The attack may be performed from remote. Upgrading to version 4.8.1 is sufficient to resolve this issue. Upgrading the affected component is advised. The vendor confirms: "The issue discovered by the vulnerability researcher on older firmware versions(4.4.5) has actually been fixed and mitigated in the new version. According to the latest firmware fixes, by default, firmware versions after 4.7.13 do not install LuCI, so this vulnerability cannot be exploited."
Title		GL.iNet GL-MT3000 LuCI JSON-RPC rpc rpc_sys command injection
First Time appeared		Gl-inet Gl-inet gl-mt3000 Firmware
Weaknesses		CWE-74 CWE-77
CPEs		cpe:2.3:o:gl-inet:gl-mt3000_firmware::::::::
Vendors & Products		Gl-inet Gl-inet gl-mt3000 Firmware
References		https://fw.gl-inet.com/firmware/mt3000/release/mt3000-4.8.1-0819-1755615825.tar https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/luci_rpc_sys_exec_rce https://vuldb.com/cve/CVE-2026-11449 https://vuldb.com/submit/825385 https://vuldb.com/vuln/369069 https://vuldb.com/vuln/369069/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Gl-inet Gl-mt3000 Gl-mt3000 Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-07T02:15:08.735Z

Updated: 2026-06-07T02:15:08.735Z

Reserved: 2026-06-06T10:33:15.318Z

Link: CVE-2026-11449

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-07T03:16:27.077

Modified: 2026-06-07T03:16:27.077

Link: CVE-2026-11449

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-07T03:30:35Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object