CVE-2026-12187

Summary

A security vulnerability has been detected in GL.iNet GL-MT3000 up to 4.4.5. Affected by this vulnerability is an unknown functionality of the file /usr/bin/one_click_upgrade of the component Online Firmware Upgrade Handler. Such manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 4.7 addresses this issue. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Affected Software

VendorProductVersion RangeStatus
GL.iNetGL-MT30004.4.0affected
GL.iNetGL-MT30004.4.1affected
GL.iNetGL-MT30004.4.2affected
GL.iNetGL-MT30004.4.3affected
GL.iNetGL-MT30004.4.4affected
GL.iNetGL-MT30004.4.5affected
GL.iNetGL-MT30004.7unaffected

Weaknesses

  • CWE-77: Command Injection
  • CWE-74: Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References