Description
The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.
Published: 2026-05-05
Score: 9.1 Critical
EPSS: 5.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated OS command injection in the GoAhead web server running on MeiG Smart FORGE_SLT711 devices. By sending crafted requests to the "/action/SetRemoteAccessCfg" endpoint, an attacker can execute arbitrary operating system commands with the privileges of the web server process. This flaw permits full control over the device and can compromise confidentiality, integrity, and availability of the device and any backend systems it interfaces with.

Affected Systems

The affected product is the GoAhead web server bundled in the MeiG Smart FORGE_SLT711 device, specifically firmware version MDM9607.LE.1.0-00110-STD.PROD-1.

Risk and Exploitability

The flaw poses a high risk due to its nature as an unauthenticated remote code execution vulnerability. The CVSS score of 9.1 indicates critical severity. The EPSS score of 6% indicates a moderate likelihood of exploitation, and the attack vector can be inferred as network-based as the vulnerable endpoint is exposed over HTTP/HTTPS. The ease of exploitation is high because no authentication is required. The vulnerability is not listed in CISA’s KEV catalog, but the potential impact warrants immediate attention.

Generated by OpenCVE AI on May 28, 2026 at 14:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to a version that resolves the command injection flaw.
  • Disable or restrict the "/action/SetRemoteAccessCfg" endpoint by configuring the web server or applying network access controls.
  • Apply network segmentation or firewall rules to limit inbound traffic to the device and monitor for attempted exploitation attempts.

Generated by OpenCVE AI on May 28, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 15:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated OS Command Injection in GoAhead Web Server on MeiG Smart FORGE_SLT711

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Meig
Meig goahead
Vendors & Products Meig
Meig goahead

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated OS Command Injection in GoAhead Web Server on MeiG Smart FORGE_SLT711

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 05 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated OS Command Injection in GoAhead Web Server on MeiG Smart FORGE_SLT711
Weaknesses CWE-78

Tue, 05 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.
References

Subscriptions

Meig Goahead
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-05T17:26:31.899Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36356

cve-icon Vulnrichment

Updated: 2026-05-05T17:24:35.995Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-05T14:16:08.873

Modified: 2026-05-07T15:53:49.717

Link: CVE-2026-36356

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T15:00:13Z

Weaknesses