Description
The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.
Published: 2026-05-05
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated OS command injection in the GoAhead web server running on MeiG Smart FORGE_SLT711 devices. By sending crafted requests to the "/action/SetRemoteAccessCfg" endpoint, an attacker can execute arbitrary operating system commands with the privileges of the web server process. This flaw permits full control over the device and can compromise confidentiality, integrity, and availability of the device and any backend systems it interfaces with.

Affected Systems

The affected product is the GoAhead web server bundled in the MeiG Smart FORGE_SLT711 device, specifically firmware version MDM9607.LE.1.0-00110-STD.PROD-1.

Risk and Exploitability

The flaw poses a high risk due to its nature as an unauthenticated remote code execution vulnerability. While the EPSS score is not available, the attack vector can be inferred as network-based as the vulnerable endpoint is exposed over HTTP/HTTPS. The ease of exploitation is high because no authentication is required. The vulnerability is not listed in CISA’s KEV catalog, but the potential impact warrants immediate attention.

Generated by OpenCVE AI on May 5, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to a version that resolves the command injection flaw.
  • Disable or restrict the "/action/SetRemoteAccessCfg" endpoint by configuring the web server or applying network access controls.
  • Apply network segmentation or firewall rules to limit inbound traffic to the device and monitor for attempted exploitation attempts.

Generated by OpenCVE AI on May 5, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 05 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated OS Command Injection in GoAhead Web Server on MeiG Smart FORGE_SLT711
Weaknesses CWE-78

Tue, 05 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-05T17:26:31.899Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36356

cve-icon Vulnrichment

Updated: 2026-05-05T17:24:35.995Z

cve-icon NVD

Status : Received

Published: 2026-05-05T14:16:08.873

Modified: 2026-05-05T18:16:02.550

Link: CVE-2026-36356

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T15:30:26Z

Weaknesses