CVE-2026-11505
5.0 MEDIUMA flaw has been found in GL.iNet A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000 and XE3000 4.8.x
Published: 2026-06-08 · Last updated: 2026-06-08
Severity and scoring
- CVSS
- 5.0 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
- CWE
- CWE-320, CWE-321
Description
A flaw has been found in GL.iNet A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000 and XE3000 4.8.x. This affects an unknown function of the component glnassys. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. Upgrading to version 4.9.0 mitigates this issue. Upgrading the affected component is advised.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-11505
- [Other]https://cloud-static-test.gl-inet.cn/security/openwrt-ipq60xx-glinet_ax1800-squashfs-sysupgrade.tar
- [Other]https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/The%20hard%20coded%20default%20authentication%20token%20in%20gl%20nas%20sys%20poses%20a%20risk%20to%20unauthorized%20command%20execution.md
- [Other]https://vuldb.com/cve/CVE-2026-11505
- [Other]https://vuldb.com/submit/835698
- [Other]https://vuldb.com/vuln/369125
- [Other]https://vuldb.com/vuln/369125/cti
Related CVEs
Same CWE
- CVE-2026-46395 — HAX CMS helps manage microsite universe with PHP or NodeJs backends
- CVE-2026-11347 — The linqi application contains hardcoded cryptographic keys
- CVE-2026-45433 — This vulnerability exists in GX Earth 2022 ONT models due to the presence of hardcoded RSA private key within the device firmware
- CVE-2026-50226 — Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers (5.3 MEDIUM)
- CVE-2026-45041 — RustFS is a distributed object storage system built in Rust