Boost Your Wi-Fi Experience! Save up to 35% on Halloween Deals | Shop Now

Security Advisories (Vulnerabilities and CVEs) August 1 2024

Dear all,

In this post, you will find a list of vulnerabilities and CVEs we've recently found on particular GL.iNet router models. Note that this does not include CVEs from OpenWrt.

Please check the firmware versions affected by the vulnerabilities and CVEs. If you're affected, you are strongly advised to upgrade your router to the firmware version containing the fixes as soon as possible.

Model NumberAffected Firmware VersionResolved Firmware Version
GL-MT6000 Flint 2V4.5.8 and earlierV4.6.2
GL-A1300 Slate PlusV4.5.16 and earlierV4.5.17
GL-X300B Collie
GL-AX1800 FlintV4.5.16 and earlierV4.6.2
GL-AXT1800 Slate AX
GL-MT2500 Brume 2
GL-MT3000 Beryl AX
GL-X3000 Spitz AXV4.4.8 and earlierV4.4.9
GL-XE3000 Puli AX
GL-XE300 PuliV4.3.16 and earlierV4.3.17
GL-E750/GL-E750V2 MudiV4.3.12 and earlierV4.3.17
GL-X750 SpitzV4.3.11 and earlierV4.3.17
GL-SFT1200 Opal
GL-AR300M Shadow
GL-AR300M16 Shadow
GL-AR750 Creta
GL-AR750S-EXT Slate
GL-B1300 Convexa-B
GL-MT1300 Beryl
GL-MT300N-V2 Mango
GL-AP1300 CirrusV3.217 and earlierV3.218
GL-B2200 VelicaV3.216 and earlierV3.218
GL-MV1000 Brume
GL-MV1000W Brume-W
GL-USB150 Microuter
GL-SF1200
microuter-N300
GL-S1300 Convexa-S
CVE-2024-39225
CVE-2024-39226
  • Summary: Missing input validation leads to arbitrary code execution
  • Credit to: Patrick Walker
CVE-2024-39227
  • Summary: Missing authorization checks/access controls and directory traversal leads to potential arbitrary code execution
  • Credit to: Patrick Walker
CVE-2024-39228
  • Summary: Authenticated remote code execution by ovpn api
  • Credit to: Manfred Heinz
CVE-2024-39229
  • Summary: Attackers can modify the binding IP address of DDNS by the MAC address and SN
CVE-2024-3661

This is annoucement other than discussion. To report Security bugs, pls send email to security@gl-inet.com. We have a 90-day policy for vulnerability disclosure.