cbcvebase.
CVE-2026-36356
published 2026-05-05

CVE-2026-36356: The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the…

PriorityP192critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
15.39%
96.4th percentile
The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.

Detection & IOCsextracted from sources · hover to see the quote

url/action/SetRemoteAccessCfg
path/tmp/out
commandecho root:"$(<password_field>)"|chpasswd
versionMDM9607.LE.1.0-00110-STD.PROD-1
  • Alert on HTTP POST requests to /action/SetRemoteAccessCfg — this endpoint requires no authentication and is the sole attack vector for CVE-2026-36356.
  • Inspect the JSON 'password' field in POST bodies to /action/SetRemoteAccessCfg for shell metacharacters, especially $(...) subshell syntax used as the injection vector.
  • A JSON response containing 'retcode: 0' from /action/SetRemoteAccessCfg following a POST with a non-trivial password value is a strong indicator of successful exploitation.
  • Monitor for creation of or writes to /tmp/out on MeiG SLT711 devices, as this is the canonical exfiltration path used by the exploit for blind command output.
  • The exploit executes commands as uid=0(root); any anomalous root-level process spawned by the GoAhead web server process on Linux 3.18.48 / MDM9607 devices should be investigated.
  • The vulnerable endpoint is absent from the router's route.txt authentication list; network-level controls should block unauthenticated external access to port 80 on MeiG FORGE_SLT711 devices.
  • ·Exploitation is blind — command output is NOT returned in the HTTP response body. Defenders should not rely on response content inspection alone; side-channel indicators (file creation, network callbacks) must be monitored.
  • ·The vulnerability is confirmed on firmware MDM9607.LE.1.0-00110-STD.PROD-1 but the exploit author notes it likely affects all firmware versions of this product line, so patching scope should not be limited to this single firmware string.
  • ·The default target IP used by the public exploit is 192.168.1.1 on port 80; detections scoped only to non-RFC1918 addresses will miss LAN-side exploitation.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.