📄 Description (English)
A vulnerability has been found in GL.iNet GL-MT3000 up to 4.4.5. Affected is the function FUN_0042e200 of the file /cgi-bin/glc of the component SET_USER_PWD Handler. The manipulation of the argument Password leads to command injection. The attack can be initiated remotely. Upgrading to version 4.8.1 is able to address this issue. The affected component should be upgraded. The vendor explains: " The current code escapes single quotes in the password parameter and handles it inside a shell single‑quote context. The payloads in the report, which rely on $() or backticks to trigger command substitution, are not executed under the current code path. We tested on a GL‑MT3000 device running firmware 4.8.1 using similar payloads, and no command‑execution marker file was created."
🤖 AI Executive Summary
CVE-2026-11452 is a command injection vulnerability in GL.iNet GL-MT3000 routers (versions up to 4.4.5) affecting the password change functionality. An unauthenticated remote attacker can inject arbitrary commands through the Password parameter in the SET_USER_PWD handler, potentially gaining full device control. While the vendor claims version 4.8.1 addresses the issue, no official patch is currently available, making this a significant risk for organizations using affected GL-MT3000 devices.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 10, 2026 06:41
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using GL-MT3000 routers as edge devices or in branch office deployments. Primary impact sectors include: (1) Banking & Financial Services (SAMA-regulated) — routers used in branch networks could be compromised for lateral movement; (2) Government & Critical Infrastructure (NCA oversight) — potential compromise of network perimeter devices; (3) Telecommunications (STC, Mobily) — if deployed in network infrastructure; (4) Healthcare (MOH) — affecting hospital network security; (5) Energy Sector (ARAMCO, SEC) — if used in operational technology networks. The vulnerability allows unauthenticated remote command execution, making it particularly dangerous for internet-facing devices.
🏢 Affected Saudi Sectors
Banking & Financial Services
Government & Public Administration
Critical Infrastructure
Healthcare
Telecommunications
Energy & Utilities
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all GL-MT3000 devices in your network using network scanning tools (nmap, Shodan queries for GL-MT3000 signatures)
2. Isolate affected devices from internet-facing positions immediately
3. Implement network segmentation to restrict access to administrative interfaces
4. Change all default credentials on GL-MT3000 devices
5. Monitor for suspicious activity on affected devices (check logs for /cgi-bin/glc access patterns)
PATCHING GUIDANCE:
1. Contact GL.iNet support to obtain firmware version 4.8.1 or later
2. Verify firmware authenticity before deployment
3. Test in non-production environment first
4. Schedule maintenance window for firmware updates
5. Document pre-update device configuration
COMPENSATING CONTROLS (if patching delayed):
1. Implement WAF/IPS rules to block requests to /cgi-bin/glc containing command injection patterns ($(, backticks, |, ;, &)
2. Restrict network access to GL-MT3000 management interfaces using firewall rules (whitelist only authorized IPs)
3. Disable remote management features if not required
4. Deploy network-based intrusion detection signatures for GL-MT3000 exploitation attempts
5. Implement VPN requirement for administrative access
DETECTION RULES:
1. Monitor HTTP POST requests to /cgi-bin/glc with SET_USER_PWD parameter containing special characters
2. Alert on command substitution patterns in password fields: $(), backticks, $(command)
3. Monitor for unusual process execution spawned from web server processes
4. Track failed authentication attempts followed by password change requests
5. Log all administrative interface access with source IP tracking
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع أجهزة GL-MT3000 في شبكتك باستخدام أدوات المسح (nmap، استعلامات Shodan)
2. عزل الأجهزة المتأثرة عن المواضع المواجهة للإنترنت فوراً
3. تنفيذ تقسيم الشبكة لتقييد الوصول إلى الواجهات الإدارية
4. تغيير جميع بيانات الاعتماد الافتراضية على أجهزة GL-MT3000
5. مراقبة النشاط المريب على الأجهزة المتأثرة
إرشادات التصحيح:
1. الاتصال بدعم GL.iNet للحصول على الإصدار 4.8.1 أو أحدث
2. التحقق من صحة البرنامج الثابت قبل النشر
3. الاختبار في بيئة غير الإنتاج أولاً
4. جدولة نافذة صيانة لتحديثات البرنامج الثابت
5. توثيق تكوين الجهاز قبل التحديث
الضوابط البديلة:
1. تنفيذ قواعد WAF/IPS لحظر الطلبات إلى /cgi-bin/glc التي تحتوي على أنماط حقن الأوامر
2. تقييد الوصول إلى واجهات إدارة GL-MT3000 باستخدام قواعد جدار الحماية
3. تعطيل ميزات الإدارة البعيدة إذا لم تكن مطلوبة
4. نشر توقيعات كشف الاختراق على مستوى الشبكة
5. تنفيذ متطلبات VPN للوصول الإداري
قواعد الكشف:
1. مراقبة طلبات HTTP POST إلى /cgi-bin/glc
2. التنبيه على أنماط استبدال الأوامر في حقول كلمة المرور
3. مراقبة تنفيذ العمليات غير العادية
4. تتبع محاولات المصادقة الفاشلة
5. تسجيل جميع عمليات الوصول إلى الواجهة الإدارية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 — Network security perimeter controls
ECC 2024 A.5.2.1 — Access control to network services
ECC 2024 A.6.2.1 — User authentication and password management
ECC 2024 A.8.2.3 — Vulnerability management and patching
ECC 2024 A.12.6.1 — Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.AM-2 — Asset management and inventory
SAMA CSF PR.AC-1 — Access control policy and procedures
SAMA CSF PR.PT-2 — Protective technology deployment
SAMA CSF DE.CM-8 — Vulnerability scanning and assessment
SAMA CSF RS.MI-2 — Incident response and containment
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 — Access control
ISO 27001:2022 A.8.1 — User endpoint devices
ISO 27001:2022 A.8.2 — Privileged access rights
ISO 27001:2022 A.12.6.1 — Management of technical vulnerabilities
ISO 27001:2022 A.14.2.1 — Secure development policy
🟣 PCI DSS v4.0.1
PCI DSS 2.1 — Default security parameters
PCI DSS 6.2 — Security patches and updates
PCI DSS 11.2 — Vulnerability scanning
PCI DSS 11.3 — Penetration testing
🔗 References & Sources 5
🔗
🔗
🔗
🔗
🔗
https://github.com/StrTzz123/iot_vul/blob/main/GL-iNet/MT3000/4.4.5/nas_set_user_pwd_gl...
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-11452
cna@vuldb.com
https://vuldb.com/submit/826378
cna@vuldb.com
https://vuldb.com/vuln/369072
cna@vuldb.com
https://vuldb.com/vuln/369072/cti
cna@vuldb.com