Description
A vulnerability was detected in GL.iNet GL-MT3000 4.4.5. This affects the function dlopen in the library /usr/lib/oui-httpd/rpc/ of the component Path Normalization Handler. Performing a manipulation of the argument dev_name results in command injection. It is possible to initiate the attack remotely. Upgrading to version 4.7 mitigates this issue. It is advisable to upgrade the affected component. The vendor confirms: " From version 4.7 onward, we have enabled method‑level validation at the HTTP /rpc layer. nas‑web.eject_disk is no longer in the whitelist of allowed methods. Consequently, directly calling eject_disk through the default /rpc endpoint returns Invalid params, preventing entry into subsequent dangerous functions and blocking the remote exploit chain described in the report."
Published: 2026-06-07
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the dlopen function of the Path Normalization Handler within the /usr/lib/oui-httpd/rpc component of GL.iNet GL‑MT3000 firmware 4.4.5. By manipulating the dev_name argument, an attacker can cause the handler to evaluate a malicious path and execute arbitrary shell commands. This satisfies both path traversal (CWE‑74) and command injection (CWE‑77) weaknesses, allowing the attacker to gain remote code execution privileges on the device.

Affected Systems

Affected systems are GL.iNet GL‑MT3000 routers running firmware version 4.4.5 (the only publicly disclosed vulnerable build). The issue is fixed in firmware 4.7, which adds method‑level validation to the HTTP /rpc API and removes the eject_disk method from the allowed list, preventing the exploitation chain described by the report.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the vulnerability can be exploited over the network via the exposed /rpc endpoint. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, so the public exploitation risk appears moderate but cannot be ruled out. An attacker who can reach the device's RPC interface—potentially through LAN or VPN—can craft a custom dev_name value and trigger command execution remotely.

Generated by OpenCVE AI on June 7, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GL‑MT3000 firmware to version 4.7 or later, which implements method‑level validation and removes the vulnerable eject_disk method from the whitelist.
  • Restrict remote access to the /rpc interface by limiting its exposure to trusted internal IP addresses or by placing the device on a VLAN separate from untrusted networks.
  • Monitor the device’s RPC logs for anomalous dev_name parameters and immediately block or firewall any remote source attempting to invoke the eject_disk method or other disallowed RPC calls.

Generated by OpenCVE AI on June 7, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 07 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Gl-inet gl-mt3000
Vendors & Products Gl-inet gl-mt3000

Sun, 07 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in GL.iNet GL-MT3000 4.4.5. This affects the function dlopen in the library /usr/lib/oui-httpd/rpc/ of the component Path Normalization Handler. Performing a manipulation of the argument dev_name results in command injection. It is possible to initiate the attack remotely. Upgrading to version 4.7 mitigates this issue. It is advisable to upgrade the affected component. The vendor confirms: " From version 4.7 onward, we have enabled method‑level validation at the HTTP /rpc layer. nas‑web.eject_disk is no longer in the whitelist of allowed methods. Consequently, directly calling eject_disk through the default /rpc endpoint returns Invalid params, preventing entry into subsequent dangerous functions and blocking the remote exploit chain described in the report."
Title GL.iNet GL-MT3000 Path Normalization dlopen command injection
First Time appeared Gl-inet
Gl-inet gl-mt3000 Firmware
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:o:gl-inet:gl-mt3000_firmware:*:*:*:*:*:*:*:*
Vendors & Products Gl-inet
Gl-inet gl-mt3000 Firmware
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Gl-inet Gl-mt3000 Gl-mt3000 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-07T02:30:09.365Z

Reserved: 2026-06-06T10:33:18.124Z

Link: CVE-2026-11450

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-07T03:16:27.247

Modified: 2026-06-07T03:16:27.247

Link: CVE-2026-11450

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T03:30:35Z

Weaknesses