CVE-2026-11406 | THREATINT – Canadian Cyber Watch

Description

A vulnerability was determined in GL.iNet MT3000 up to 4.4.5. This vulnerability affects unknown code of the file ovpnclient.sh of the component OpenVPN Client Import Workflow. This manipulation causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 4.9.0_beta3-1012-0513-1778656146 is able to resolve this issue. You should upgrade the affected component. The vendor confirms: “This issue has been addressed by implementing malicious checks on OpenVPN configuration files to prevent command injection attacks carried through malicious configuration files.”

PUBLISHED Reserved 2026-06-05 | Published 2026-06-06 | Updated 2026-06-06 | Assigner VulDB

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

Command Injection

Injection

Product status

4.4.0
affected

4.4.1
affected

4.4.2
affected

4.4.3
affected

4.4.4
affected

4.4.5
affected

4.9.0_beta3-1012-0513-1778656146
unaffected

Timeline

2026-06-05:	Advisory disclosed
2026-06-05:	VulDB entry created
2026-06-05:	VulDB entry last update

Credits

strforexc (VulDB User) reporter

VulDB CNA Team coordinator

References

vuldb.com/vuln/368966 (VDB-368966 | GL.iNet MT3000 OpenVPN Client Import Workflow ovpnclient.sh command injection) vdb-entry

vuldb.com/vuln/368966/cti (VDB-368966 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/cve/CVE-2026-11406 (CVE-2026-11406 | CVE Analysis and Report) third-party-advisory

vuldb.com/submit/820049 (Submit #820049 | GL.iNet MT3000 4.4.5 Command Injection) third-party-advisory

github.com/…e/main/GL-iNet/MT3000/4.4.5/ovpn_client_import exploit

fw.gl-inet.cn/…mt3000-4.9.0_beta3-1012-0513-1778656146.tar patch

cve.org (CVE-2026-11406)

nvd.nist.gov (CVE-2026-11406)

Download JSON

Source link

What's Hot

SSA-771940 V1.1 (Last Update: 2024-08-13): X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go

The U.S. Military Quietly Turned GPS Into a Global ‘Numbers Station,’ Evidence Suggests

SSA-357412 V1.0: PRT File Parsing Vulnerability in NX Before V2406.3000

SSA-771940 V1.1 (Last Update: 2024-08-13): X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go

SSA-357412 V1.0: PRT File Parsing Vulnerability in NX Before V2406.3000

SSA-068047 V1.1 (Last Update: 2024-08-13): Multiple Vulnerabilities in SCALANCE M-800 Family Before V7.2.2

Catchy & Intriguing

IP Address Investigations and Local OSINT

Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

Most Popular

Catchy & Intriguing

IP Address Investigations and Local OSINT

Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

Our Picks

SSA-771940 V1.1 (Last Update: 2024-08-13): X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go

The U.S. Military Quietly Turned GPS Into a Global ‘Numbers Station,’ Evidence Suggests

SSA-357412 V1.0: PRT File Parsing Vulnerability in NX Before V2406.3000

Subscribe to Updates

What's Hot

CVE-2026-11406 | THREATINT

Description

Problem types

Product status

Timeline

Credits

References

Related Posts

Subscribe to Updates