Cyber Posture

CVE-2026-36356

Critical

Published: 05 May 2026

Published
05 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0044 63.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses OS command injection by requiring validation and sanitization of inputs to the /action/SetRemoteAccessCfg endpoint.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Mitigates unauthenticated access to critical functions by limiting permitted actions without identification or authentication on the vulnerable endpoint.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations to prevent unauthorized logical access and command execution via the GoAhead web server.

Security SummaryAI

CVE-2026-36356 is an unauthenticated OS command injection vulnerability affecting the GoAhead web server on MeiG Smart FORGE_SLT711 devices running firmware version MDM9607.LE.1.0-00110-STD.PROD-1. The flaw exists in the /action/SetRemoteAccessCfg endpoint, where insufficient input validation allows attackers to inject arbitrary operating system commands. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-306 (Missing Authentication for Critical Function).

Any unauthenticated attacker with network access to the affected device can exploit this vulnerability with low complexity and no user interaction required. Exploitation enables remote code execution via injected OS commands, granting high-impact access to confidential data (C:H) and the ability to modify system integrity (I:H), though availability remains unaffected (A:N).

Advisories and additional details are available at the following references: http://forgeslt711.com, http://meig.com, and https://github.com/totekuh/CVE-2026-36356. Security practitioners should review these sources for vendor-recommended mitigations, patches, or configuration changes.

Details

CWE(s)
CWE-78CWE-306

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Unauthenticated OS command injection (CWE-78) in public-facing web endpoint directly enables remote exploitation of the application (T1190) and arbitrary command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References