📄 Description (English)
A vulnerability was determined in GL.iNet MT3000 up to 4.4.5. This vulnerability affects unknown code of the file ovpnclient.sh of the component OpenVPN Client Import Workflow. This manipulation causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 4.9.0_beta3-1012-0513-1778656146 is able to resolve this issue. You should upgrade the affected component. The vendor confirms: "This issue has been addressed by implementing malicious checks on OpenVPN configuration files to prevent command injection attacks carried through malicious configuration files."
🤖 AI Executive Summary
GL.iNet MT3000 routers up to version 4.4.5 contain a command injection vulnerability in the OpenVPN Client Import Workflow that allows remote exploitation through malicious configuration files. While a beta patch (4.9.0_beta3) exists, no stable release is currently available. This vulnerability poses significant risk to organizations using GL.iNet devices for VPN connectivity, particularly in Saudi Arabia's government and enterprise sectors.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 6, 2026 14:32
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi government agencies, financial institutions, and enterprises using GL.iNet MT3000 routers for secure VPN connectivity. High-risk sectors include: (1) Government/NCA - remote access infrastructure for critical operations; (2) Banking/SAMA - VPN gateways for inter-bank communications and regulatory reporting; (3) Telecom/STC - network infrastructure and customer VPN services; (4) Energy/ARAMCO - remote access for operational technology networks; (5) Healthcare - telemedicine and secure data transmission. Attackers could execute arbitrary commands with router privileges, potentially compromising entire network segments and sensitive data.
🏢 Affected Saudi Sectors
Government/NCA
Banking/SAMA
Telecom/STC
Energy/ARAMCO
Healthcare
Enterprise IT Infrastructure
Defense/Military
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all GL.iNet MT3000 devices running firmware versions up to 4.4.5 across your organization
2. Restrict OpenVPN client import functionality to trusted administrators only
3. Implement network segmentation to isolate affected routers from critical systems
4. Monitor router logs for suspicious OpenVPN configuration import attempts
PATCHING GUIDANCE:
1. Evaluate beta version 4.9.0_beta3-1012-0513-1778656146 in isolated test environment before production deployment
2. Contact GL.iNet support for stable release timeline and security advisories
3. Plan firmware upgrade during maintenance windows with rollback procedures
COMPENSATING CONTROLS (if patching delayed):
1. Disable OpenVPN client import feature via web interface if not required
2. Implement firewall rules to restrict access to router management interfaces (port 80/443) to authorized IPs only
3. Use VPN configuration validation scripts to sanitize inputs before import
4. Deploy intrusion detection signatures for command injection patterns in OpenVPN configs
DETECTION RULES:
1. Monitor for unusual process execution spawned from ovpnclient.sh (bash, sh, nc, curl, wget)
2. Alert on OpenVPN configuration files containing shell metacharacters (;, |, &, $(), backticks)
3. Track failed and successful OpenVPN client imports with detailed logging
4. Monitor outbound connections initiated from router processes post-import
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع أجهزة GL.iNet MT3000 التي تعمل بإصدارات البرامج الثابتة حتى 4.4.5 في جميع أنحاء مؤسستك
2. قيد وظيفة استيراد عميل OpenVPN للمسؤولين الموثوقين فقط
3. طبق تقسيم الشبكة لعزل الأجهزة المتأثرة عن الأنظمة الحرجة
4. راقب سجلات الجهاز للكشف عن محاولات استيراد تكوين OpenVPN المريبة
إرشادات التصحيح:
1. قيّم الإصدار التجريبي 4.9.0_beta3 في بيئة اختبار معزولة قبل النشر في الإنتاج
2. اتصل بدعم GL.iNet للحصول على جدول الإصدار المستقر والتنبيهات الأمنية
3. خطط لترقية البرامج الثابتة خلال نوافذ الصيانة مع إجراءات التراجع
الضوابط البديلة (إذا تأخر التصحيح):
1. عطّل ميزة استيراد عميل OpenVPN عبر واجهة الويب إذا لم تكن مطلوبة
2. طبق قواعد جدار الحماية لتقييد الوصول إلى واجهات إدارة الجهاز (المنفذ 80/443) إلى عناوين IP المصرح بها فقط
3. استخدم نصوص التحقق من صحة تكوين VPN لتنظيف المدخلات قبل الاستيراد
4. نشر توقيعات كشف الاختراق لأنماط حقن الأوامر في تكوينات OpenVPN
قواعد الكشف:
1. راقب تنفيذ العمليات غير العادية التي تنشأ من ovpnclient.sh
2. أصدر تنبيهات على ملفات تكوين OpenVPN التي تحتوي على أحرف shell metacharacters
3. تتبع عمليات استيراد عميل OpenVPN الفاشلة والناجحة مع تسجيل مفصل
4. راقب الاتصالات الصادرة التي تبدأ من عمليات الجهاز بعد الاستيراد
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information Security Policies (secure configuration management)
ECC 2024 A.8.1.1 - User Endpoint Devices (VPN device security)
ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities (patch management)
ECC 2024 A.14.2.1 - Secure Development Policy (secure coding practices)
🔵 SAMA CSF
SAMA CSF ID.GV-1 - Organizational Context (asset inventory and management)
SAMA CSF PR.IP-12 - Information and Communication Technology (ICT) Security (vulnerability management)
SAMA CSF DE.CM-4 - Malicious Code Detection (command injection detection)
SAMA CSF RS.MI-2 - Incident Response (containment and eradication)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for Information Security (configuration management policy)
ISO 27001:2022 A.8.1 - User Endpoint Devices (secure device configuration)
ISO 27001:2022 A.12.6 - Management of Technical Vulnerabilities and Exposures (patch management)
ISO 27001:2022 A.14.2 - Secure Development, Implementation and Maintenance (secure coding)
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure all system components and software are protected from known vulnerabilities
PCI DSS 11.2 - Run automated vulnerability scanning tools regularly
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://fw.gl-inet.cn/firmware/mt3000/testing/mt3000-4.9.0_beta3-1012-0513-1778656146.tar
cna@vuldb.com
https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/ovpn_client_import
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-11406
cna@vuldb.com
https://vuldb.com/submit/820049
cna@vuldb.com
https://vuldb.com/vuln/368966
cna@vuldb.com
https://vuldb.com/vuln/368966/cti
cna@vuldb.com