Description
GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.
Published: 2026-03-12
Score: 9.8 Critical
EPSS: 2.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GL‑iNet GL‑AR300M16 firmware v4.3.11 contains a command injection flaw in the M.get_system_log function. The module parameter supplied to this function is not validated, allowing an attacker to inject arbitrary shell commands into the system. If this flaw is exploited, the attacker can execute arbitrary commands on the router, compromising device confidentiality, integrity, and availability and potentially affecting the entire network it serves.

Affected Systems

The vulnerability is present in GL‑iNet GL‑AR300M16 routers running firmware version 4.3.11. The affected functionality is the get_system_log endpoint, which is exposed through the router’s management interface and accepts a maliciously crafted module parameter causing command injection.

Risk and Exploitability

The CVSS score is 9.8, indicating a critical level of risk. The EPSS score is 2%, indicating a slightly higher probability of exploitation observed in the wild, yet the existence of the flaw with such high impact mandates action. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be remote, via network communication to the router’s management interface where the get_system_log function is exposed, but the exact method of exploitation (e.g., HTTP request, SNMP, etc.) is not explicitly detailed in the provided description.

Generated by OpenCVE AI on June 18, 2026 at 13:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router to a firmware version that removes the vulnerable get_system_log implementation or applies the vendor’s patch when it becomes available.
  • If an upgrade is not immediately possible, block or disable the get_system_log endpoint by firewall or configuration changes to prevent remote access.
  • As an added precaution, consider disabling remote management interfaces or restricting them to trusted IP ranges.
  • Reset the device to factory defaults and configure strong authentication to mitigate potential credential compromise.
  • Continuously monitor network traffic for anomalous calls to the get_system_log function.

Generated by OpenCVE AI on June 18, 2026 at 13:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Command Injection via get_system_log on GL-AR300M16 Router Firmware

Wed, 17 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
Title Command Injection via get_system_log on GL-AR300M16 Router Firmware

Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Command Injection in GL-iNet GL-AR300M16 v4.3.11 via get_system_log

Fri, 20 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Title Command Injection in GL-iNet GL-AR300M16 v4.3.11 via get_system_log

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Gl-inet ar300m16
Gl-inet ar300m16 Firmware
Weaknesses CWE-77
CPEs cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.11:*:*:*:*:*:*:*
Vendors & Products Gl-inet ar300m16
Gl-inet ar300m16 Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Gl-inet
Gl-inet gl-ar300m16
Vendors & Products Gl-inet
Gl-inet gl-ar300m16

Thu, 12 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.
References

Subscriptions

Gl-inet Ar300m16 Ar300m16 Firmware Gl-ar300m16
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-14T03:30:31.005Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26795

cve-icon Vulnrichment

Updated: 2026-03-14T03:30:12.652Z

cve-icon NVD

Status : Modified

Published: 2026-03-12T18:16:23.070

Modified: 2026-06-17T10:26:20.383

Link: CVE-2026-26795

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:45:05Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')