How is CVE-2026-12187 exploited?

Network reachability (required): The attacker must be able to reach the device's firmware upgrade interface over the network; no physical or local access is needed. Authentication (required): A low-privilege account is sufficient; the attacker does not need administrator credentials to reach the vulnerable handler. Victim interaction (not-required): No user interaction is required; the attacker can trigger the injection without any action from a logged-in user. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-12187?

Reads sensitive data stored on the device, including credentials, configuration, and network topology details. Modifies device configuration or firmware state, enabling persistent backdoors or traffic interception. Crashes or disrupts the firmware upgrade process and connected network services, taking the device offline. Executes arbitrary OS commands as the process owner, effectively giving full shell-level control of the router.

Back to search

HIGHCVE-2026-12187Published 2026-06-14Modified 2026-06-14CNA VulDB

CVE-2026-12187: GL.iNet GL-MT3000 Online Firmware Upgrade one_click_upgrade command injection

A security vulnerability has been detected in GL.iNet GL-MT3000 up to 4.4.5. Affected by this vulnerability is an unknown functionality of the file /usr/bin/one_click_upgrade of the component Online Firmware Upgrade Handler. Such manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 4.7 addresses this issue. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 4.7
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a command injection vulnerability in the GL.iNet GL-MT3000 router firmware, specifically in the Online Firmware Upgrade Handler (/usr/bin/one_click_upgrade) on versions up to 4.4.5. The flaw is reachable over the network and requires only a low-privilege account, meaning any authenticated user can trigger it. Successful exploitation gives an attacker full control over the device, including reading, modifying, and disrupting its operation. A patched-image rebuild at version 4.7 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle GL-MT3000 firmware layers. Any image containing an affected firmware version (4.4.0 through 4.4.5) will surface a finding automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.7 (HIGH) using the v4.0 vector from the record, and per-environment compliance policy weighting can escalate or suppress urgency based on each customer org's risk thresholds. Findings are routed to the inbox configured for the affected registry or pipeline within that customer environment.

Available

Patch

A patched-image rebuild targeting firmware version 4.7 is available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the device's firmware upgrade interface over the network; no physical or local access is needed.
AuthenticationRequired
A low-privilege account is sufficient; the attacker does not need administrator credentials to reach the vulnerable handler.
Victim interactionNot required
No user interaction is required; the attacker can trigger the injection without any action from a logged-in user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

Reads sensitive data stored on the device, including credentials, configuration, and network topology details.
Modifies device configuration or firmware state, enabling persistent backdoors or traffic interception.
Crashes or disrupts the firmware upgrade process and connected network services, taking the device offline.
Executes arbitrary OS commands as the process owner, effectively giving full shell-level control of the router.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12187 is active across all customer environments, matching against images that include GL-MT3000 firmware versions 4.4.0 through 4.4.5. A patched rebuild at version 4.7 is available for affected images. For customers who opt into auto-remediation, HarborGuard handles the rebuild, regression test run, and PR creation against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review before remediation, the finding is queued and routed to the appropriate team inbox with full CVSS context attached. Because a public exploit is confirmed (CVSS E:P), treating this as urgent is warranted for any environment exposing the router management interface beyond a trusted network segment.

See how HarborGuard automates this

Fix available

4.7

Patch commits

Affected packages

GL.iNet / GL-MT3000
4.4.0 · 4.4.1 · 4.4.2 · 4.4.3 · 4.4.4 · 4.4.5
Fixed in 4.7

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available