CVE-2026-36356
published 2026-05-05CVE-2026-36356: The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the…
PriorityP192critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
15.39%
96.4th percentile
The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on HTTP POST requests to /action/SetRemoteAccessCfg — this endpoint requires no authentication and is the sole attack vector for CVE-2026-36356. ↗
- →Inspect the JSON 'password' field in POST bodies to /action/SetRemoteAccessCfg for shell metacharacters, especially $(...) subshell syntax used as the injection vector. ↗
- →A JSON response containing 'retcode: 0' from /action/SetRemoteAccessCfg following a POST with a non-trivial password value is a strong indicator of successful exploitation. ↗
- →Monitor for creation of or writes to /tmp/out on MeiG SLT711 devices, as this is the canonical exfiltration path used by the exploit for blind command output. ↗
- →The exploit executes commands as uid=0(root); any anomalous root-level process spawned by the GoAhead web server process on Linux 3.18.48 / MDM9607 devices should be investigated. ↗
- →The vulnerable endpoint is absent from the router's route.txt authentication list; network-level controls should block unauthenticated external access to port 80 on MeiG FORGE_SLT711 devices. ↗
- ·Exploitation is blind — command output is NOT returned in the HTTP response body. Defenders should not rely on response content inspection alone; side-channel indicators (file creation, network callbacks) must be monitored. ↗
- ·The vulnerability is confirmed on firmware MDM9607.LE.1.0-00110-STD.PROD-1 but the exploit author notes it likely affects all firmware versions of this product line, so patching scope should not be limited to this single firmware string. ↗
- ·The default target IP used by the public exploit is 192.168.1.1 on port 80; detections scoped only to non-RFC1918 addresses will miss LAN-side exploitation. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mwfr-mj36-qv8w: The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607
ghsa_unreviewed·2026-05-05
CVE-2026-36356 [CRITICAL] CWE-78 GHSA-mwfr-mj36-qv8w: The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607
The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.
VulDB
GoAhead Web Server 9607.LE.1.0-0011 on MeiG SetRemoteAccessCfg os command injection
vuldb·2026-05-05·CVSS 9.1
CVE-2026-36356 [CRITICAL] GoAhead Web Server 9607.LE.1.0-0011 on MeiG SetRemoteAccessCfg os command injection
A vulnerability was found in GoAhead Web Server 9607.LE.1.0-0011 on MeiG and classified as critical. Impacted is an unknown function of the file /action/SetRemoteAccessCfg. Such manipulation leads to os command injection.
This vulnerability is referenced as CVE-2026-36356. It is possible to launch the attack remotely. No exploit is available.
VulnCheck
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2026·CVSS 9.1
CVE-2026-36356 [CRITICAL] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.
Affected: MeiG Smart FORGE_SLT711
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-06-21&host_type=src&vulnerability=cve-2026-36356
Exploit PoC: https://vulncheck.com/xdb/9fcefbd2f853
No detection rules found.
No writeups or analysis indexed.
2026-05-05
Published
Exploited in the wild