HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-12186Published Modified CNA VulDB

CVE-2026-12186: GL.iNet GL-MT3000 Tor Proxy Service Configuration tor replace_country command injection

A weakness has been identified in GL.iNet GL-MT3000 up to 4.4.5. Affected is the function replace_country in the library /usr/lib/oui-httpd/rpc/tor of the component Tor Proxy Service Configuration Handler. This manipulation causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 4.7 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
4.7
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A command injection vulnerability affects the Tor Proxy Service Configuration Handler in GL.iNet GL-MT3000 firmware versions up to 4.4.5, specifically in the replace_country function of the /usr/lib/oui-httpd/rpc/tor library. The flaw is reachable over the network and requires a low-privilege account; no victim interaction is needed. Successful exploitation gives an attacker full read, write, and execution control over the device. A patched-image rebuild at version 4.7 is available on HarborGuard for environments running an affected firmware version.

HarborGuard Coverage

Detection

Detection of CVE-2026-12186 is available across every HarborGuard environment; the CVE is ingested from upstream feeds (including VulDB and NVD) within minutes of publication and matched against customer images, including custom-built images that bundle GL.iNet firmware or derived components. Any image containing an affected version of the GL-MT3000 firmware stack is flagged automatically during pipeline scans and registry sweeps.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v4.0 score of 8.7 (HIGH) and applies per-environment compliance policy weighting to prioritize it appropriately within each customer org. Triage findings are routed to the team or inbox configured in each customer's notification settings, so the right engineers see it without manual filtering.

Available
Patch

A patched-image rebuild at firmware version 4.7 becomes available on HarborGuard for any environment where an affected GL-MT3000 image is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a PR against affected workloads automatically, subject to the compliance policy configured in that environment.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the device's Tor Proxy Service Configuration Handler over the network; no local or physical access is required.

  • AuthenticationRequired

    A low-privilege account on the device is sufficient to trigger the vulnerable replace_country function; no admin credentials are needed.

  • Victim interactionNot required

    No user action or social engineering is needed; the attacker can send a crafted request directly without involving any other party.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable; no race conditions, special memory layout, or environmental pre-conditions are required to trigger the injection.

Blast Radius

  • Reads sensitive files and credentials stored on the device, including any secrets accessible to the web service process.
  • Writes or overwrites arbitrary files on the device filesystem, allowing persistent backdoors or configuration tampering.
  • Executes arbitrary OS commands with the privileges of the oui-httpd service, enabling full device takeover.
  • Crashes or disrupts the Tor proxy service, cutting off anonymized traffic routing for any workloads depending on the device.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12186 is active across all connected registries and CI pipelines the moment the CVE was ingested. For environments running an affected GL-MT3000 firmware image (versions 4.4.0 through 4.4.5), a rebuild at the fixed version 4.7 is available. Customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where compliance policy requires manual approval, the rebuilt image and triage report are queued for reviewer action. Given the public exploit availability noted in the advisory (CVSS E:P), prioritizing this upgrade promptly is advisable for any environment shipping this firmware.

See how HarborGuard automates this

Fix available

4.7
Patch commits
Affected packages
  • GL.iNet / GL-MT3000
    4.4.0 · 4.4.1 · 4.4.2 · 4.4.3 · 4.4.4 · 4.4.5
    Fixed in 4.7
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
References