📄 Description (English)
A security vulnerability has been detected in GL.iNet GL-MT3000 4.4.5. The impacted element is the function rpc_sys of the file /cgi-bin/luci/rpc of the component LuCI JSON-RPC Interface. Such manipulation leads to command injection. The attack may be performed from remote. Upgrading to version 4.8.1 is sufficient to resolve this issue. Upgrading the affected component is advised. The vendor confirms: "The issue discovered by the vulnerability researcher on older firmware versions(4.4.5) has actually been fixed and mitigated in the new version. According to the latest firmware fixes, by default, firmware versions after 4.7.13 do not install LuCI, so this vulnerability cannot be exploited."
🤖 AI Executive Summary
CVE-2026-11449 is a command injection vulnerability in GL.iNet GL-MT3000 firmware versions prior to 4.8.1, affecting the LuCI JSON-RPC interface. The vulnerability allows remote attackers to execute arbitrary commands through the rpc_sys function. While CVSS score is 6.3 (medium), the lack of authentication requirements and remote exploitability pose significant risk to organizations using affected GL.iNet devices in their network infrastructure.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 7, 2026 06:52
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using GL.iNet GL-MT3000 devices as edge routers or network gateways. Most at-risk sectors include: Telecommunications (STC, Mobily, Zain) using these devices in network infrastructure; Government agencies (NCA, CITC) deploying them in secure networks; Banking sector (SAMA-regulated institutions) if used in branch connectivity; Healthcare organizations using them for network segmentation; and Energy sector (ARAMCO, utilities) in operational technology networks. The command injection capability could allow lateral movement into critical network segments.
🏢 Affected Saudi Sectors
Telecommunications
Government
Banking
Healthcare
Energy
Education
Retail
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all GL.iNet GL-MT3000 devices in your network inventory, particularly those running firmware versions 4.4.5 through 4.7.13
2. Disable or restrict access to the LuCI JSON-RPC interface (/cgi-bin/luci/rpc) via firewall rules if immediate patching is not possible
3. Implement network segmentation to isolate affected devices from critical systems
4. Monitor for suspicious RPC calls and command injection attempts in logs
Patching Guidance:
1. Upgrade affected GL-MT3000 devices to firmware version 4.8.1 or later immediately
2. Verify that LuCI is not installed on devices running firmware 4.7.13 or earlier
3. Test patches in non-production environment before deployment
Compensating Controls:
1. Implement strict firewall rules limiting access to port 80/443 on affected devices
2. Deploy Web Application Firewall (WAF) rules to block suspicious JSON-RPC requests
3. Enable authentication on LuCI interface if available in your firmware version
4. Implement network-based intrusion detection signatures for command injection patterns
Detection Rules:
1. Monitor for POST requests to /cgi-bin/luci/rpc with suspicious parameters
2. Alert on rpc_sys function calls with shell metacharacters (|, ;, &, $, backticks)
3. Track firmware version changes and LuCI installation status
4. Log all administrative access attempts to affected devices
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع أجهزة GL.iNet GL-MT3000 في جرد الشبكة الخاص بك، خاصة تلك التي تعمل بإصدارات البرامج الثابتة من 4.4.5 إلى 4.7.13
2. قم بتعطيل أو تقييد الوصول إلى واجهة LuCI JSON-RPC (/cgi-bin/luci/rpc) عبر قواعد جدار الحماية إذا لم يكن الترقية الفورية ممكنة
3. تطبيق تقسيم الشبكة لعزل الأجهزة المتأثرة عن الأنظمة الحرجة
4. مراقبة محاولات حقن الأوامر والاتصالات RPC المريبة في السجلات
إرشادات الترقية:
1. قم بترقية أجهزة GL-MT3000 المتأثرة إلى إصدار البرنامج الثابت 4.8.1 أو أحدث على الفور
2. تحقق من عدم تثبيت LuCI على الأجهزة التي تعمل بإصدار البرنامج الثابت 4.7.13 أو أقدم
3. اختبر التصحيحات في بيئة غير الإنتاج قبل النشر
الضوابط البديلة:
1. تطبيق قواعد جدار حماية صارمة تحد من الوصول إلى المنفذ 80/443 على الأجهزة المتأثرة
2. نشر قواعد جدار تطبيقات الويب (WAF) لحظر طلبات JSON-RPC المريبة
3. تفعيل المصادقة على واجهة LuCI إن أمكن في إصدار البرنامج الثابت الخاص بك
4. تطبيق توقيعات الكشف عن الاختراقات القائمة على الشبكة لأنماط حقن الأوامر
قواعد الكشف:
1. مراقبة طلبات POST إلى /cgi-bin/luci/rpc مع معاملات مريبة
2. تنبيه استدعاءات وظيفة rpc_sys مع أحرف shell metacharacters (|, ;, &, $, backticks)
3. تتبع تغييرات إصدار البرنامج الثابت وحالة تثبيت LuCI
4. تسجيل جميع محاولات الوصول الإداري إلى الأجهزة المتأثرة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Network access control and boundary protection
ECC 2024 A.8.1.1 - User endpoint devices security
ECC 2024 A.8.2.1 - Privileged access management
ECC 2024 A.8.3.1 - Information security event logging
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Hardware and software assets are inventoried
SAMA CSF PR.AC-1 - Access to physical and logical assets is managed
SAMA CSF PR.PT-1 - Security policies and procedures are maintained
SAMA CSF DE.CM-1 - The network is monitored for unauthorized connections
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.1 - User endpoint devices
ISO 27001:2022 A.8.2 - Privileged access rights
ISO 27001:2022 A.8.3 - Information access restriction
🟣 PCI DSS v4.0.1
PCI DSS 1.1 - Firewall configuration standards
PCI DSS 2.1 - Default security parameters
PCI DSS 6.2 - Security patches and updates
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://fw.gl-inet.com/firmware/mt3000/release/mt3000-4.8.1-0819-1755615825.tar
cna@vuldb.com
https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/luci_rpc_sys_exec_rce
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-11449
cna@vuldb.com
https://vuldb.com/submit/825385
cna@vuldb.com
https://vuldb.com/vuln/369069
cna@vuldb.com
https://vuldb.com/vuln/369069/cti
cna@vuldb.com