| Title | GL.iNet GL-MT3000 4.4.5 Command Injection |
|---|
| Description | An authenticated command injection vulnerability exists in the online firmware upgrade workflow of the affected product. The POST /rpc endpoint can invoke upgrade.upgrade_online with a user-controlled firmware URL. The RPC handler passes this value to /usr/bin/one_click_upgrade, where the firmware path is later used in a shell command without sufficient sanitization and quoting. If the firmware URL is accepted with shell metacharacters, an authenticated attacker may be able to execute arbitrary commands with root privileges. The firmware checksum verification fails afterward, so the device does not continue with a real firmware flashing process. |
|---|
| Source | ⚠️ https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/upgrade_online_url |
|---|
| User | strforexc (UID 94617) |
|---|
| Submission | 04/29/2026 14:17 (2 months ago) |
|---|
| Moderation | 06/14/2026 08:30 (2 months later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370833 [GL.iNet GL-MT3000 up to 4.4.5 Online Firmware Upgrade one_click_upgrade command injection] |
|---|
| Points | 20 |
|---|