External risk intelligence

MeiG devices allow attackers to run commands on the device over the internet.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-36356

MeiG Smart devices have a critical flaw allowing anyone to run commands on the device over the internet without a password, potentially leading to full device takeover.

4Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-36356

The web management interface on this edge gateway device is commonly deployed as an externally reachable surface for remote administration. As a network gateway, the device's management suite is frequently exposed to the internet in real-world deployments, making this specific interface a common target for external network access.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

The GoAhead web server on MeiG Smart FORGE_SLT711 devices has a critical vulnerability. This issue allows an attacker to run commands on the device without needing any credentials, potentially leading to unauthorized access and control.

  • Unauthenticated remote command execution.
  • Affects devices used as network gateways.
  • Serious compromise of device integrity.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a crafted request to the web server on a vulnerable device. This would allow them to inject and execute arbitrary operating system commands without any authentication. This could be used to gain control of the device and potentially pivot to other systems on the network.

  • Unauthenticated network access required.
  • Targets web server endpoint.
  • Device firmware MDM9607.LE.1.0-00110-STD.PROD-1.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated command injection through a web interface, which is a highly attractive attack vector. Attackers favor such vulnerabilities because they offer direct access without needing to bypass authentication mechanisms. The public availability of exploit details further increases the likelihood of weaponization.

  • Exploit code is publicly available.
  • Device management interfaces are often internet-exposed.
  • The vulnerability was recently disclosed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking offline MeiG Smart FORGE_SLT711 devices with firmware MDM9607.LE.1.0-00110-STD.PROD-1, as they are critically vulnerable to unauthenticated command injection and actively exploited. Focus on identifying all affected assets within your network to understand the scope of exposure. Given the critical severity and external accessibility, immediate containment is paramount to prevent further compromise.

  • Block external access to affected devices.
  • Monitor network traffic for exploitation attempts.
  • Disable the /action/SetRemoteAccessCfg endpoint.

Frequently asked questions

What is the MeiG Smart FORGE_SLT711 and its firmware?

The MeiG Smart FORGE_SLT711 is a 4G LTE fixed wireless device that utilizes a GoAhead web server. The specific firmware version affected by the vulnerability is MDM9607.LE.1.0-00110-STD.PROD-1.

What type of vulnerability is CVE-2026-36356?

CVE-2026-36356 is an OS command injection vulnerability, categorized as CWE-78. This allows an attacker to execute arbitrary operating system commands on the affected device without authentication.

How can CVE-2026-36356 be exploited?

An attacker can exploit this vulnerability by sending a specially crafted, unauthenticated POST request to the /action/SetRemoteAccessCfg endpoint on the device's web server. This request can inject arbitrary shell commands, leading to full device compromise.

What is the relevance of CVE-2026-36356, considering network exposure?

The MeiG Smart FORGE_SLT711 acts as a network gateway and its web management interface is often exposed to the internet. This external reachability makes it a prime target for attackers seeking to exploit the unauthenticated command injection vulnerability.

What actions should be taken to address CVE-2026-36356?

To mitigate this critical vulnerability, it is recommended to immediately isolate affected devices, block external access to their web management interfaces, and update the firmware to the latest available version. Auditing network logs for exploitation attempts is also advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified