Security Advisories (Vulnerabilities and CVEs) April 24 2025
Dear all,
In this post, you will find a list of vulnerabilities and CVEs we've recently found on particular GL.iNet router models. Note that this does not include CVEs from OpenWrt.
Please check the firmware versions affected by the vulnerabilities and CVEs. If you're affected, you are strongly advised to upgrade your router to the firmware version containing the fixes as soon as possible.
| Model Number | Affected Firmware Version | Resolved Firmware Version |
|---|---|---|
| GL-BE3600 Slate 7 | / | V4.7.1 |
| GL-MT2500 Brume 2 | V4.7.0 and earlier | V4.7.4 |
| GL-MT3000 Beryl AX | ||
| GL-MT6000 Flint 2 | ||
| GL-B3000 Marble | V4.5.19 and earlier | V4.5.22 |
| GL-A1300 Slate Plus | ||
| GL-X300B Collie | ||
| GL-X3000 Spitz AX | V4.4.13 and earlier | V4.7.4 |
| GL-XE3000 Puli AX | ||
| GL-SFT1200 Opal | V4.3.24 and earlier | V4.3.25 |
| GL-X750 Spitz | V4.3.19 and earlier | V4.3.25 |
| GL-MT1300 Beryl | ||
| GL-E750/GL-E750V2 Mudi | V4.3.19 and earlier | V4.3.26 |
| GL-XE300 Puli | V4.3.18 and earlier | V4.3.25 |
| GL-AR750 Creta | ||
| GL-AR750S-EXT Slate | ||
| GL-AR300M Shadow | ||
| GL-AR300M16 Shadow | ||
| GL-B1300 Convexa-B | ||
| GL-MT300N-V2 Mango |
CVE-2024-57391
- Summary: Command injection vulerabilities that can be exploited after authentication
- Credit to: bin4re, Chuya Hayakawa, Ryo Kamino, gan3f , Sta8r9 https://github.com/isstabber, Yuze Wu
CVE-2025-2811
- Summary: ReDoS can be executed without authentication
- Credit to: Chuya Hayakawa, Ryo Kamino
CVE-2025-2850
- Summary: Unauthorized file download of router in download interfaces
- Credit to: Olivier
CVE-2025-2851
- Summary: Buffer overflow vulnerability via the rpc in the plugins.so library
- Credit to: gan3f, Sta8r9 https://github.com/isstabber
This is annoucement other than discussion. To report Security bugs, pls send email to security@gl-inet.com. We have a 90-day policy for vulnerability disclosure.