Primary

Context

GL-iNet GL-AR300M16 Command Injection Vulnerability in System Log Retrieval

Vulnerability

A command injection vulnerability has been identified in the GL-iNet GL-AR300M16 router running firmware version 4.3.11. The issue arises in the 'M.get_system_log' function of 'logread.lua', where the 'module' parameter is not properly sanitized before being used to construct system commands. This flaw allows attackers to execute arbitrary commands with root privileges by sending a crafted input via an HTTP request.

Impact

Exploitation of this vulnerability allows for arbitrary command execution with root privileges on the affected device.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to the '/rpc' endpoint with a JSON-RPC payload that includes a command injection in the 'module' parameter of the 'get_system_log' method. The injected command will be executed with root privileges.

Added: Mar 12, 2026, 6:26 PM

Updated: Mar 12, 2026, 6:26 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

7.5

exploitability

6.2

remediation

0.0

relevance

3.8

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

7.5

exploitability

6.2

remediation

0.0

relevance

3.8

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GL-iNet GL-AR300M16 Command Injection Vulnerability in System Log Retrieval

Vulnerability

Impact

Reproduction

Affected Products

GL-iNet GL-AR300M16

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating