Description
A flaw has been found in GL.iNet GL-MT3000 4.4.5. This impacts the function snprintf of the file /cgi-bin/glc of the component FTP Protocol Handler. Executing a manipulation of the argument media_dir can lead to command injection. It is possible to launch the attack remotely. Upgrading to version 4.8.1 will fix this issue. You should upgrade the affected component. The vendor explains: "In version 4.8.1, before writing media_dir to the FTP configuration command, the code escapes single quotes using escape_single_quote(). The payloads in the report—which rely on closing a single quote, appending commands with a semicolon, and commenting out the tail with #—cannot escape execution under the current code path. We also verified this on a GL‑MT3000 device running firmware version 4.8.1 using similar payloads calling the /NAS_API_SET_PROTO_CONFIG interface. Although the interface returned success, the marker file intended to prove command execution was not created; the payload was written into /etc/vsftpd.conf only as ordinary configuration content and did not trigger any shell command execution. Therefore, with the current firmware version and default runtime environment, we could not reproduce the claimed “unauthorized command injection in set_proto_config”."
Published: 2026-06-07
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the FTP Protocol Handler of GL.iNet GL-MT3000 firmware version 4.4.5 allows an attacker to inject malicious commands through the media_dir parameter. The vulnerable snprintf function fails to properly escape single quotes, enabling a crafted payload that closes a quote, appends shell commands with a semicolon, and comments out the remainder of the line. This results in arbitrary shell command execution on the device, granting the attacker full control over the device’s operating system. The weakness is identified as CWE-74 and CWE-77.

Affected Systems

The vulnerability affects GL.iNet GL-MT3000 devices running firmware 4.4.5 or earlier versions that have not applied the 4.8.1 fix. The official patch in firmware 4.8.1 sanitizes the media_dir input by escaping single quotes before writing to the FTP configuration, thereby preventing command injection. All devices of the GL-MT3000 line that are still on 4.4.5 or any earlier firmware without the patch are considered vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate risk, and no EPSS score is available, implying uncertainty about exploit prevalence. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw remotely by sending a crafted request to the FTP configuration endpoint exposed by the /cgi-bin/glc handler. Once executed, the attacker can run arbitrary shell commands, potentially compromising confidentiality, integrity, and availability of the device and any connected network services.

Generated by OpenCVE AI on June 7, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GL.iNet GL-MT3000 firmware to version 4.8.1 or later, which escapes single quotes in the media_dir parameter.
  • If a firmware upgrade cannot be performed immediately, block external access to the FTP protocol handler or the /cgi-bin/glc endpoint to prevent malicious configuration submissions.
  • Monitor the device’s logs and configuration files for unexpected changes or injected shell commands, ensuring no unauthorized commands are executed via vsftpd.conf.

Generated by OpenCVE AI on June 7, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 07 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in GL.iNet GL-MT3000 4.4.5. This impacts the function snprintf of the file /cgi-bin/glc of the component FTP Protocol Handler. Executing a manipulation of the argument media_dir can lead to command injection. It is possible to launch the attack remotely. Upgrading to version 4.8.1 will fix this issue. You should upgrade the affected component. The vendor explains: "In version 4.8.1, before writing media_dir to the FTP configuration command, the code escapes single quotes using escape_single_quote(). The payloads in the report—which rely on closing a single quote, appending commands with a semicolon, and commenting out the tail with #—cannot escape execution under the current code path. We also verified this on a GL‑MT3000 device running firmware version 4.8.1 using similar payloads calling the /NAS_API_SET_PROTO_CONFIG interface. Although the interface returned success, the marker file intended to prove command execution was not created; the payload was written into /etc/vsftpd.conf only as ordinary configuration content and did not trigger any shell command execution. Therefore, with the current firmware version and default runtime environment, we could not reproduce the claimed “unauthorized command injection in set_proto_config”."
Title GL.iNet GL-MT3000 FTP Protocol glc snprintf command injection
First Time appeared Gl-inet
Gl-inet gl-mt3000 Firmware
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:o:gl-inet:gl-mt3000_firmware:*:*:*:*:*:*:*:*
Vendors & Products Gl-inet
Gl-inet gl-mt3000 Firmware
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Gl-inet Gl-mt3000 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-07T03:00:14.858Z

Reserved: 2026-06-06T10:33:20.923Z

Link: CVE-2026-11451

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-07T04:16:29.570

Modified: 2026-06-07T04:16:29.570

Link: CVE-2026-11451

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T05:30:05Z

Weaknesses