Description
A flaw has been found in GL.iNet A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000 and XE3000 4.8.x. This affects an unknown function of the component glnassys. Executing a manipulation can lead to use of hard-coded cryptographic key
. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. Upgrading to version 4.9.0 mitigates this issue. Upgrading the affected component is advised.
Published: 2026-06-08
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the glnassys component of multiple GL.iNet routers and involves a hard‑coded cryptographic key. Manipulation of this component can cause the device to rely on the fixed key, potentially undermining normal authentication controls. The weakness is classified as CWE‑320 and CWE‑321, indicating poor password management and weak key usage. Because the exploit is reported to require a high level of complexity and is described as difficult, the immediate risk to confidentiality, integrity, and availability is low but not negligible.

Affected Systems

The vulnerability affects GL.iNet A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000, and XE3000 routers running firmware version 4.8.x. All listed device families contain the glnassys component with the hard‑coded key.

Risk and Exploitability

The CVSS score of 2.3 indicates a low‑severity issue. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread active exploitation. Attacks may be launched remotely, but the exploitation is deemed difficult and requires significant expertise. The attack vector is not further specified in the advisory, so the exact remote interface involved remains unspecified.

Generated by OpenCVE AI on June 8, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the affected GL.iNet routers to firmware version 4.9.0 or later, which removes the hard‑coded cryptographic key.
  • Disable or restrict remote management interfaces (such as SSH, HTTP, or web admin) until the firmware upgrade has been completed to reduce the attack surface.
  • Replace any default or weak authentication tokens with strong, unique passwords and ensure the device configuration does not expose legacy authentication mechanisms.

Generated by OpenCVE AI on June 8, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Gl-inet
Gl-inet a1300
Gl-inet ax1800
Gl-inet axt1800
Gl-inet mt2500
Gl-inet mt3000
Gl-inet mt6000
Gl-inet x3000
Gl-inet xe3000
Vendors & Products Gl-inet
Gl-inet a1300
Gl-inet ax1800
Gl-inet axt1800
Gl-inet mt2500
Gl-inet mt3000
Gl-inet mt6000
Gl-inet x3000
Gl-inet xe3000

Mon, 08 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in GL.iNet A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000 and XE3000 4.8.x. This affects an unknown function of the component glnassys. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. Upgrading to version 4.9.0 mitigates this issue. Upgrading the affected component is advised.
Title GL.iNet XE3000 glnassys hard-coded key
First Time appeared Gl.inet
Gl.inet a1300
Gl.inet ax1800
Gl.inet axt1800
Gl.inet mt2500
Gl.inet mt3000
Gl.inet mt6000
Gl.inet x3000
Gl.inet xe3000
Weaknesses CWE-320
CWE-321
CPEs cpe:2.3:a:gl.inet:a1300:*:*:*:*:*:*:*:*
cpe:2.3:a:gl.inet:ax1800:*:*:*:*:*:*:*:*
cpe:2.3:a:gl.inet:axt1800:*:*:*:*:*:*:*:*
cpe:2.3:a:gl.inet:mt2500:*:*:*:*:*:*:*:*
cpe:2.3:a:gl.inet:mt3000:*:*:*:*:*:*:*:*
cpe:2.3:a:gl.inet:mt6000:*:*:*:*:*:*:*:*
cpe:2.3:a:gl.inet:x3000:*:*:*:*:*:*:*:*
cpe:2.3:a:gl.inet:xe3000:*:*:*:*:*:*:*:*
Vendors & Products Gl.inet
Gl.inet a1300
Gl.inet ax1800
Gl.inet axt1800
Gl.inet mt2500
Gl.inet mt3000
Gl.inet mt6000
Gl.inet x3000
Gl.inet xe3000
References
Metrics cvssV2_0

{'score': 4.6, 'vector': 'AV:N/AC:H/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T13:25:49.443Z

Reserved: 2026-06-07T14:06:05.114Z

Link: CVE-2026-11505

cve-icon Vulnrichment

Updated: 2026-06-08T13:25:43.259Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T12:16:30.747

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T13:00:15Z

Weaknesses