Unauthenticated Remote Code Execution in MeiG Smart FORGE_SLT711 LTE CPE (CVE‑2026‑36356) Exposes Telecom Infrastructure
What Happened — An OS command injection (CVE‑2026‑36356) in the GoAhead web interface of MeiG Smart FORGE_SLT711 LTE CPE allows unauthenticated attackers to execute arbitrary commands as root via the /action/SetRemoteAccessCfg endpoint. The vulnerability resides in the JSON “password” field, which is passed to sprintf and then to system().
Why It Matters for TPRM —
- Critical RCE on network‑edge devices can compromise carrier infrastructure and downstream customers.
- Firmware is distributed through carrier channels, making patch rollout dependent on telecom operators.
- The device is often internet‑exposed, providing a low‑effort foothold for large‑scale botnets or data interception.
Who Is Affected — Telecommunications providers, ISPs, enterprises that deploy MeiG Smart LTE CPE, and managed service providers that include these devices in their service portfolio.
Recommended Actions —
- Verify inventory of MeiG Smart FORGE_SLT711 units and their firmware versions.
- Apply vendor‑released patches or upgrade to a non‑vulnerable firmware release immediately.
- Enforce network segmentation and restrict access to the device’s management interface (e.g., VPN, ACLs).
- Deploy outbound traffic monitoring to detect anomalous command execution patterns.
Technical Notes — The exploit sends an HTTP POST to /action/SetRemoteAccessCfg with a JSON payload {"password":"$(<cmd>)"}; the server’s sprintf("echo root:\"%s\"|chpasswd") leads to command execution as uid=0. The attack is blind (no command output returned). Affects firmware MDM9607.LE.1.0-00110-STD.PROD-1 and likely all versions of the product line. CVE‑2026‑36356. Source: https://www.exploit-db.com/exploits/52581