A flaw has been found in GL.iNet GL-MT3000 4.4.5. This impacts the function snprintf of the file /cgi-bin/glc of the component FTP Protocol Handler. Executing a manipulation of the argument media_dir can lead to command injection. It is possible to launch the attack remotely. Upgrading to version 4.8.1 will fix this issue. You should upgrade the affected component. The vendor explains: "In version 4.8.1, before writing media_dir to the FTP configuration command, the code escapes single quotes using escape_single_quote(). The payloads in the report—which rely on closing a single quote, appending commands with a semicolon, and commenting out the tail with #—cannot escape execution under the current code path. We also verified this on a GL‑MT3000 device running firmware version 4.8.1 using similar payloads calling the /NAS_API_SET_PROTO_CONFIG interface. Although the interface returned success, the marker file intended to prove command execution was not created; the payload was written into /etc/vsftpd.conf only as ordinary configuration content and did not trigger any shell command execution. Therefore, with the current firmware version and default runtime environment, we could not reproduce the claimed “unauthorized command injection in set_proto_config”."
GL.iNet GL-MT3000 FTP Protocol glc snprintf command injection
Problem type
Affected products
GL.iNet
4.4.5 - AFFECTED
4.8.1 - UNAFFECTED
References
https://vuldb.com/vuln/369071
https://vuldb.com/vuln/369071/cti
https://vuldb.com/cve/CVE-2026-11451
https://vuldb.com/submit/825563
https://github.com/StrTzz123/iot_vul/blob/main/GL-iNet/MT3000/4.4.5/nas_proto_media_dir_glc_rce/Readme.md
GitHub Security Advisories
GHSA-rw8j-c4m6-h6r7
A flaw has been found in GL.iNet GL-MT3000 4.4.5. This impacts the function snprintf of the file ...
https://github.com/advisories/GHSA-rw8j-c4m6-h6r7A flaw has been found in GL.iNet GL-MT3000 4.4.5. This impacts the function snprintf of the file /cgi-bin/glc of the component FTP Protocol Handler. Executing a manipulation of the argument media_dir can lead to command injection. It is possible to launch the attack remotely. Upgrading to version 4.8.1 will fix this issue. You should upgrade the affected component. The vendor explains: "In version 4.8.1, before writing media_dir to the FTP configuration command, the code escapes single quotes using escape_single_quote(). The payloads in the report—which rely on closing a single quote, appending commands with a semicolon, and commenting out the tail with #—cannot escape execution under the current code path. We also verified this on a GL‑MT3000 device running firmware version 4.8.1 using similar payloads calling the /NAS_API_SET_PROTO_CONFIG interface. Although the interface returned success, the marker file intended to prove command execution was not created; the payload was written into /etc/vsftpd.conf only as ordinary configuration content and did not trigger any shell command execution. Therefore, with the current firmware version and default runtime environment, we could not reproduce the claimed “unauthorized command injection in set_proto_config”."
https://nvd.nist.gov/vuln/detail/CVE-2026-11451
https://github.com/StrTzz123/iot_vul/blob/main/GL-iNet/MT3000/4.4.5/nas_proto_media_dir_glc_rce/Readme.md
https://vuldb.com/cve/CVE-2026-11451
https://vuldb.com/submit/825563
https://vuldb.com/vuln/369071
https://vuldb.com/vuln/369071/cti
https://github.com/advisories/GHSA-rw8j-c4m6-h6r7
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-11451Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-11451",
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"dateUpdated": "2026-06-07T03:00:14.858Z",
"dateReserved": "2026-06-06T10:33:20.923Z",
"datePublished": "2026-06-07T03:00:14.858Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB",
"dateUpdated": "2026-06-07T03:00:14.858Z"
},
"title": "GL.iNet GL-MT3000 FTP Protocol glc snprintf command injection",
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in GL.iNet GL-MT3000 4.4.5. This impacts the function snprintf of the file /cgi-bin/glc of the component FTP Protocol Handler. Executing a manipulation of the argument media_dir can lead to command injection. It is possible to launch the attack remotely. Upgrading to version 4.8.1 will fix this issue. You should upgrade the affected component. The vendor explains: \"In version 4.8.1, before writing media_dir to the FTP configuration command, the code escapes single quotes using escape_single_quote(). The payloads in the report—which rely on closing a single quote, appending commands with a semicolon, and commenting out the tail with #—cannot escape execution under the current code path. We also verified this on a GL‑MT3000 device running firmware version 4.8.1 using similar payloads calling the /NAS_API_SET_PROTO_CONFIG interface. Although the interface returned success, the marker file intended to prove command execution was not created; the payload was written into /etc/vsftpd.conf only as ordinary configuration content and did not trigger any shell command execution. Therefore, with the current firmware version and default runtime environment, we could not reproduce the claimed “unauthorized command injection in set_proto_config”.\""
}
],
"affected": [
{
"vendor": "GL.iNet",
"product": "GL-MT3000",
"cpes": [
"cpe:2.3:o:gl-inet:gl-mt3000_firmware:*:*:*:*:*:*:*:*"
],
"modules": [
"FTP Protocol Handler"
],
"versions": [
{
"version": "4.4.5",
"status": "affected"
},
{
"version": "4.8.1",
"status": "unaffected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Command Injection",
"cweId": "CWE-77",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "Injection",
"cweId": "CWE-74",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/vuln/369071",
"name": "VDB-369071 | GL.iNet GL-MT3000 FTP Protocol glc snprintf command injection",
"tags": [
"vdb-entry",
"technical-description"
]
},
{
"url": "https://vuldb.com/vuln/369071/cti",
"name": "VDB-369071 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
]
},
{
"url": "https://vuldb.com/cve/CVE-2026-11451",
"name": "CVE-2026-11451 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://vuldb.com/submit/825563",
"name": "Submit #825563 | GL.iNet GL-MT3000 4.4.5 Command Injection",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://github.com/StrTzz123/iot_vul/blob/main/GL-iNet/MT3000/4.4.5/nas_proto_media_dir_glc_rce/Readme.md",
"tags": [
"related"
]
}
],
"metrics": [
{},
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"baseScore": 7.3,
"baseSeverity": "HIGH"
}
},
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"baseScore": 7.3,
"baseSeverity": "HIGH"
}
},
{
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"baseScore": 7.5
}
}
],
"timeline": [
{
"time": "2026-06-06T00:00:00.000Z",
"lang": "en",
"value": "Advisory disclosed"
},
{
"time": "2026-06-06T02:00:00.000Z",
"lang": "en",
"value": "VulDB entry created"
},
{
"time": "2026-06-06T12:38:40.000Z",
"lang": "en",
"value": "VulDB entry last update"
}
],
"credits": [
{
"lang": "en",
"value": "strforexc (VulDB User)",
"type": "reporter"
},
{
"lang": "en",
"value": "VulDB CNA Team",
"type": "coordinator"
}
]
}
}
}