CVE-2024-45263

HIGH

GL-iNet Firmware - Unrestricted File Upload via ovpn_upload Interface

Title source: llm

Description

An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The upload interface allows the uploading of arbitrary files to the device. Once the device executes the files, it can lead to information leakage, enabling complete control.

References (1)

Core 1

Core References

Issue Tracking, Third Party Advisory

https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Arbitrary%20File%20Upload%20to%20ovpn_upload%20via%20Upload%20Interface.md

View Writeup ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0026

EPSS Percentile 17.4%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (21)

gl-inet/a1300_firmware 4.5.17

gl-inet/ar300m16_firmware 4.3.17

gl-inet/ar300m_firmware 4.3.17

gl-inet/ar750_firmware 4.3.17

gl-inet/ar750s_firmware 4.3.17

gl-inet/ax1800_firmware 4.6.2 - 4.6.4

gl-inet/axt1800_firmware 4.6.2 - 4.6.4

gl-inet/b1300_firmware 4.3.17

gl-inet/b3000_firmware 4.5.18

gl-inet/e750_firmware 4.3.17

... and 11 more

Published Oct 24, 2024

Tracked Since Feb 18, 2026