The GL-iNet GL-AR300M16 router running firmware version 4.3.11 contains multiple command injection vulnerabilities within the set_upgrade function. This function handles firmware upgrade parameters including modem_url, target_version, current_version, firmware_upload, hash_type, hash_value, and upgrade_type. Due to insufficient input validation and sanitization, specially crafted inputs can inject arbitrary shell commands. An attacker can exploit this remotely over the network without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation grants full control over the device, enabling execution of arbitrary commands with system privileges. This compromises device confidentiality, integrity, and availability, potentially allowing attackers to manipulate firmware, disrupt network operations, or pivot into internal networks. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command). Despite the critical severity and high CVSS score of 9.8, no patches or known exploits have been reported as of the publication date. The lack of authentication requirement and ease of exploitation make this a highly dangerous vulnerability for affected devices.

The impact of CVE-2026-26792 is severe for organizations using GL-iNet GL-AR300M16 routers. Attackers can gain complete control over the device remotely, leading to potential network compromise, data exfiltration, and disruption of services. The vulnerability threatens confidentiality by allowing unauthorized access to sensitive data passing through the router. Integrity is compromised as attackers can alter firmware or device configurations. Availability is at risk due to possible device bricking or denial of service from malicious commands. This can affect enterprise, small business, and home networks relying on this router model, especially where these devices serve as gateways or VPN endpoints. The absence of authentication and user interaction requirements increases the attack surface, enabling automated mass exploitation campaigns. Additionally, compromised routers can be leveraged as footholds for lateral movement or as part of botnets, amplifying the threat to broader network ecosystems.

Immediate mitigation involves isolating affected GL-iNet GL-AR300M16 devices from untrusted networks to prevent remote exploitation. Network administrators should implement strict firewall rules to restrict access to the router’s management interfaces, especially from external networks. Monitoring network traffic for unusual command execution patterns or unexpected firmware upgrade requests can help detect exploitation attempts. Since no official patches are available yet, consider deploying compensating controls such as network segmentation to limit the impact of a compromised device. Users should subscribe to GL-iNet security advisories for updates on patches and apply firmware updates promptly once released. Additionally, disabling remote management features and changing default credentials can reduce exposure. For critical environments, replacing vulnerable devices with models from vendors with timely security support is advisable until a fix is available.