Cyber Resilience

CVE-2026-36356

CriticalRCE

Published: 05 May 2026

Published
05 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.1539 96.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-36356 is a critical-severity OS Command Injection (CWE-78) vulnerability in Forgeslt711 (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is an unauthenticated OS command injection flaw (CWE-78) combined with missing authentication for a critical function (CWE-306) in the GoAhead web server running on MeiG Smart FORGE_SLT711 devices with firmware MDM9607.LE.1.0-00110-STD.PROD-1. It is reachable via the /action/SetRemoteAccessCfg endpoint and carries a CVSS 3.1 score of 9.1.

An attacker with network access can send crafted requests to the endpoint without credentials, resulting in arbitrary operating-system command execution on the device with impacts to confidentiality and integrity.

Public references consist of vendor sites for the affected hardware and a GitHub repository containing exploit details; no vendor advisories or official patches are referenced. The associated EPSS score remains low and essentially flat (current 0.0564, peak 0.0579), indicating limited observed exploitation interest to date.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated OS command injection (CWE-78) in public-facing web endpoint directly enables remote exploitation of the application (T1190) and arbitrary command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-12847Shared CWE-306, CWE-78
CVE-2026-45087Shared CWE-306, CWE-78
CVE-2025-55583Shared CWE-306, CWE-78
CVE-2018-25115Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2025-7404Shared CWE-78
CVE-2026-0796Shared CWE-78
CVE-2026-2041Shared CWE-78
CVE-2025-64091Shared CWE-78

Affected Assets

Forgeslt711
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks unauthenticated requests to /action/SetRemoteAccessCfg before any command execution can occur.

prevent

Requires validation and sanitization of all input to the endpoint, eliminating the OS command injection vector (CWE-78).

AC-17 Remote Access partial match
prevent

Mandates authentication and authorization controls for all remote management interfaces, addressing the missing-authentication weakness (CWE-306).

References