📄 Description (English)
A security flaw has been discovered in GL.iNet GL-MT3000 up to 4.4.5. Impacted is the function iwinfo_backend of the file iwinfo.so of the component MTK Backend. The manipulation of the argument device results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 4.7 is recommended to address this issue. Upgrading the affected component is recommended. The vendor confirms: "Starting from version 4.7, SDK has added global protection to intercept malicious injection".
🤖 AI Executive Summary
A command injection vulnerability exists in GL.iNet GL-MT3000 routers (versions up to 4.4.5) affecting the iwinfo backend component. The flaw allows remote attackers to execute arbitrary commands through manipulation of the device parameter. With a CVSS score of 6.3 and public exploit availability, this poses a moderate risk to organizations using these devices as network infrastructure components.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 7, 2026 06:52
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using GL.iNet GL-MT3000 routers in network infrastructure roles. Most at-risk sectors include: Telecommunications (STC, Mobily, Zain) using these devices in network edge deployments; Government agencies (NCA, CITC) with network infrastructure; Banking sector (SAMA-regulated institutions) if deployed in branch networks; Healthcare organizations using these routers for network connectivity; and Energy sector (ARAMCO) in operational technology networks. The command injection capability could allow lateral movement, data exfiltration, or network compromise.
🏢 Affected Saudi Sectors
Telecommunications
Government
Banking
Healthcare
Energy
Education
Retail
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all GL.iNet GL-MT3000 devices in your network infrastructure using asset discovery tools
2. Isolate affected devices from critical network segments if version 4.4.5 or earlier is confirmed
3. Implement network segmentation to restrict access to these devices
Patching Guidance:
1. Upgrade to GL.iNet firmware version 4.7 or later immediately when available
2. Verify vendor release notes confirm the iwinfo backend command injection fix
3. Test patches in non-production environment before deployment
Compensating Controls (if immediate patching not possible):
1. Restrict network access to GL-MT3000 devices using firewall rules (whitelist only authorized IPs)
2. Disable remote management interfaces if not required
3. Monitor device logs for suspicious iwinfo backend activity
4. Implement IDS/IPS rules to detect command injection patterns in device parameters
5. Change default credentials and enforce strong authentication
Detection Rules:
1. Monitor for HTTP/HTTPS requests containing special characters (|, ;, &, $, `, \n) in device parameter fields
2. Alert on unexpected process execution from iwinfo.so component
3. Log and monitor all remote access attempts to device management interfaces
4. Implement behavioral analysis for unusual command execution patterns
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع أجهزة GL.iNet GL-MT3000 في البنية التحتية للشبكة باستخدام أدوات اكتشاف الأصول
2. عزل الأجهزة المتأثرة عن قطاعات الشبكة الحرجة إذا تم تأكيد الإصدار 4.4.5 أو الأقدم
3. تنفيذ تقسيم الشبكة لتقييد الوصول إلى هذه الأجهزة
إرشادات التصحيح:
1. الترقية إلى إصدار البرنامج الثابت GL.iNet 4.7 أو الأحدث فوراً عند توفره
2. التحقق من ملاحظات إصدار البائع لتأكيد إصلاح ثغرة حقن الأوامر في iwinfo backend
3. اختبار التصحيحات في بيئة غير الإنتاج قبل النشر
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تقييد الوصول إلى شبكة أجهزة GL-MT3000 باستخدام قواعد جدار الحماية (قائمة بيضاء للعناوين المصرح بها فقط)
2. تعطيل واجهات الإدارة البعيدة إذا لم تكن مطلوبة
3. مراقبة سجلات الجهاز للنشاط المريب في iwinfo backend
4. تنفيذ قواعد IDS/IPS للكشف عن أنماط حقن الأوامر في معاملات الجهاز
5. تغيير بيانات الاعتماد الافتراضية وفرض المصادقة القوية
قواعد الكشف:
1. مراقبة طلبات HTTP/HTTPS التي تحتوي على أحرف خاصة (|، ;، &، $، `، \n) في حقول معاملات الجهاز
2. التنبيه على تنفيذ العمليات غير المتوقعة من مكون iwinfo.so
3. تسجيل ومراقبة جميع محاولات الوصول البعيد إلى واجهات إدارة الجهاز
4. تنفيذ التحليل السلوكي لأنماط تنفيذ الأوامر غير العادية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Network security controls for infrastructure devices
ECC 2024 A.5.1.2 - Access control to network devices
ECC 2024 A.5.1.3 - Monitoring and logging of network device activities
ECC 2024 A.6.2.1 - Vulnerability management and patching
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset management and inventory
SAMA CSF PR.AC-1 - Access control policies
SAMA CSF PR.IP-12 - Security patch management
SAMA CSF DE.CM-1 - Detection and monitoring of anomalies
🟡 ISO 27001:2022
ISO 27001:2022 A.5.19 - Installation and maintenance of network infrastructure
ISO 27001:2022 A.8.1.1 - User endpoint devices
ISO 27001:2022 A.8.2.3 - Segregation of networks
ISO 27001:2022 A.8.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches for system components
PCI DSS 11.2 - Vulnerability scanning and remediation
🔗 References & Sources 5
🔗
🔗
🔗
🔗
🔗
https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/iwinfo_scan_ubus_rce
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-11447
cna@vuldb.com
https://vuldb.com/submit/824951
cna@vuldb.com
https://vuldb.com/vuln/369067
cna@vuldb.com
https://vuldb.com/vuln/369067/cti
cna@vuldb.com