CVE-2026-36356
CriticalCVSS 9.1Exploitation Probability (EPSS)
Very high risk96th percentile — higher than 96% of all known CVEs
Summary
An unauthenticated OS command injection vulnerability exists in the GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1). The attack is possible via the /action/SetRemoteAccessCfg endpoint.
Risk Assessment
An unauthenticated attacker can remotely execute arbitrary system commands on the device, leading to full device compromise and potential network takeover.
Recommendation
Immediately update the firmware of MeiG Smart FORGE_SLT711 devices to a patched version. Until the update is applied, restrict access to the /action/SetRemoteAccessCfg endpoint using a firewall.
Original NVD description (English source)
The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.

