CVE-2026-11447: GL.iNet GL-MT3000 MTK Backend iwinfo.so iwinfo_backend command injection
A security flaw has been discovered in GL.iNet GL-MT3000 up to 4.4.5. Impacted is the function iwinfobackend of the file iwinfo.so of the component MTK Backend. The manipulation of the argument device results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 4.7 is recommended to address this issue. Upgrading the affected component is recommended. The vendor confirms: "Starting from version 4.7, SDK has added global protection to intercept malicious injection".
Affected Software
Remediation
Recommended actions to resolve this vulnerability, in priority order.
- Upgrade
Upgrade
GL.iNet GL-MT3000 MTK Backend (iwinfo.so)to a version that resolves this vulnerability.Fixed in 4.7
Event History
Frequently Asked Questions
What is the severity of CVE-2026-11447?
CVE-2026-11447 has a severity rating of medium with a score of 6.3.
What is CVE-2026-11447?
CVE-2026-11447 is a command injection vulnerability in the iwinfo_backend function of GL.iNet GL-MT3000 devices.
How do I fix CVE-2026-11447?
To fix CVE-2026-11447, update the GL.iNet GL-MT3000 to version 4.4.6 or later.
Who is affected by CVE-2026-11447?
CVE-2026-11447 affects users of GL.iNet GL-MT3000 devices running firmware version up to 4.4.5.
Can CVE-2026-11447 be exploited remotely?
Yes, CVE-2026-11447 can be exploited remotely, allowing attackers to perform command injection.