The vulnerability identified as CVE-2026-26792 affects the GL-iNet GL-AR300M16 router running firmware version 4.3.11. It involves multiple command injection flaws within the set_upgrade function, which is responsible for handling firmware upgrade parameters. Specifically, the parameters modem_url, target_version, current_version, firmware_upload, hash_type, hash_value, and upgrade_type can be manipulated by an attacker to inject arbitrary shell commands. Command injection vulnerabilities allow attackers to execute system-level commands with the privileges of the affected application, potentially leading to full device compromise. The lack of authentication or user interaction requirements means that an attacker can exploit these flaws remotely, possibly via network access to the device’s management interface or upgrade endpoint. The vulnerabilities stem from insufficient input validation and sanitization of the upgrade-related parameters, allowing crafted inputs to be interpreted as commands by the underlying operating system. Although no public exploits are currently known, the severity of command injection combined with the widespread use of the GL-AR300M16 router makes this a critical security issue. The absence of a CVSS score indicates the need for a manual severity assessment. The vulnerabilities impact the device’s confidentiality, integrity, and availability, as attackers could execute arbitrary commands, modify firmware, disrupt device operation, or pivot into internal networks. The vulnerabilities were published in March 2026, with the initial reservation in February 2026, but no patches or mitigations have been officially released yet.

Successful exploitation of these command injection vulnerabilities can lead to complete compromise of the GL-iNet GL-AR300M16 router. Attackers could execute arbitrary commands, install persistent malware, alter or replace firmware, disrupt network traffic, or use the device as a foothold to attack internal networks. This threatens the confidentiality of data passing through the router, the integrity of network communications, and the availability of network services. Organizations relying on these routers for secure connectivity, including small businesses, remote offices, and home users, face risks of data breaches, network downtime, and lateral movement by attackers. The ability to exploit without authentication or user interaction increases the attack surface and likelihood of automated exploitation attempts. The lack of known exploits currently provides a limited window for remediation before active exploitation emerges. The impact extends beyond individual devices to potentially compromise entire network segments, especially in environments where these routers serve as gateways or VPN endpoints.

Until official patches are released by GL-iNet, organizations should implement the following mitigations: 1) Restrict network access to the router’s management and upgrade interfaces by using firewall rules or network segmentation to limit exposure to trusted hosts only. 2) Disable remote management and firmware upgrade features if not required or restrict them to secure, authenticated channels. 3) Monitor network traffic and device logs for unusual activity or unexpected commands related to upgrade parameters. 4) Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics targeting command injection attempts on these parameters. 5) Regularly check GL-iNet’s official channels for firmware updates addressing this vulnerability and apply them promptly once available. 6) Consider replacing affected devices with models that have received security updates if immediate patching is not feasible. 7) Educate users and administrators about the risks of exposing device management interfaces to untrusted networks. These targeted mitigations go beyond generic advice by focusing on limiting attack vectors specific to the upgrade function and command injection vectors.