GL.iNet GL-MT3000 4.4.5 FTP Protocol /cgi-bin/glc snprintf media_dir command injection

Summaryinfo

A vulnerability has been found in GL.iNet GL-MT3000 4.4.5 and classified as critical. Affected is the function snprintf of the file /cgi-bin/glc of the component FTP Protocol Handler. The manipulation of the argument media_dir leads to command injection. This vulnerability is documented as CVE-2026-11451. The attack can be initiated remotely. There is not any exploit available. The affected component should be upgraded. The vendor explains: "In version 4.8.1, before writing media_dir to the FTP configuration command, the code escapes single quotes using escape_single_quote(). The payloads in the report—which rely on closing a single quote, appending commands with a semicolon, and commenting out the tail with #—cannot escape execution under the current code path. We also verified this on a GL‑MT3000 device running firmware version 4.8.1 using similar payloads calling the /NAS_API_SET_PROTO_CONFIG interface. Although the interface returned success, the marker file intended to prove command execution was not created; the payload was written into /etc/vsftpd.conf only as ordinary configuration content and did not trigger any shell command execution. Therefore, with the current firmware version and default runtime environment, we could not reproduce the claimed “unauthorized command injection in set_proto_config”."

Detailsinfo

A vulnerability was found in GL.iNet GL-MT3000 4.4.5. It has been rated as critical. This issue affects the function snprintf of the file /cgi-bin/glc of the component FTP Protocol Handler. The manipulation of the argument media_dir with an unknown input leads to a command injection vulnerability. Using CWE to declare the problem leads to CWE-77. The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability.

It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2026-11451. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1202 according to MITRE ATT&CK.

The vendor explains: "In version 4.8.1, before writing media_dir to the FTP configuration command, the code escapes single quotes using escape_single_quote(). The payloads in the report—which rely on closing a single quote, appending commands with a semicolon, and commenting out the tail with #—cannot escape execution under the current code path. We also verified this on a GL‑MT3000 device running firmware version 4.8.1 using similar payloads calling the /NAS_API_SET_PROTO_CONFIG interface. Although the interface returned success, the marker file intended to prove command execution was not created; the payload was written into /etc/vsftpd.conf only as ordinary configuration content and did not trigger any shell command execution. Therefore, with the current firmware version and default runtime environment, we could not reproduce the claimed “unauthorized command injection in set_proto_config”."

Upgrading to version 4.8.1 eliminates this vulnerability.

Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Vendor

• GL.iNet

Name

• GL-MT3000

Version

• 4.4.5

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Submitinfo

Accepted

• Submit #825563: GL.iNet GL-MT3000 4.4.5 Command Injection (by strforexc)

Be aware that VulDB is the high quality source for vulnerability data.

Discussion