CVE-2023-50445

HIGH EXPLOITED

GL.iNet Firmware - Unauthenticated OS Command Injection via logread and upgrade API Functions

Title source: llm

Exploitation Summary

CVE-2023-50445 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2 v4.3.7, AR750S v4.3.7, AR750 v4.3.7, AR300M v4.3.7, and B1300 v4.3.7., allows local attackers to execute arbitrary code via the get_system_log and get_crash_log functions of the logread module, as well as the upgrade_online function of the upgrade module.

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md

View Exploit ZIP pw:eip

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.html

Scores

CVSS v3 7.8

EPSS 0.0912

EPSS Percentile 94.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

VulnCheck KEV 2025-09-03

CWE

CWE-77 CWE-78

Status published

Products (12)

gl-inet/gl-a1300_firmware 4.4.6

gl-inet/gl-ar300m_firmware 4.3.7

gl-inet/gl-ar750_firmware 4.3.7

gl-inet/gl-ar750s_firmware 4.3.7

gl-inet/gl-ax1800_firmware 4.4.6

gl-inet/gl-axt1800_firmware 4.4.6

gl-inet/gl-b1300_firmware 4.3.7

gl-inet/gl-mt1300_firmware 4.3.7

gl-inet/gl-mt2500_firmware 4.4.6

gl-inet/gl-mt3000_firmware 4.4.6

... and 2 more

Published Dec 28, 2023

Tracked Since Feb 18, 2026