Security Advisories (Vulnerabilities and CVEs) October 14 2024
Dear all,
In this post, you will find a list of vulnerabilities and CVEs we've recently found on particular GL.iNet router models. Note that this does not include CVEs from OpenWrt.
Please check the firmware versions affected by the vulnerabilities and CVEs. If you're affected, you are strongly advised to upgrade your router to the firmware version containing the fixes as soon as possible.
| Model Number | Affected Firmware Version | Resolved Firmware Version |
|---|---|---|
| GL-AX1800 Flint | V4.6.2 and earlier | V4.6.4 |
| GL-AXT1800 Slate AX | ||
| GL-MT2500 Brume 2 | ||
| GL-MT3000 Beryl AX | ||
| GL-MT6000 Flint 2 | ||
| GL-B3000 Marble | V4.5.18 and earlier | V4.5.19 |
| GL-X3000 Spitz AX | V4.4.9 and earlier | V4.4.11 |
| GL-XE3000 Puli AX | ||
| GL-A1300 Slate Plus | V4.5.17 and earlier | V4.5.19 |
| GL-X300B Collie | ||
| GL-X750 Spitz | V4.3.18 and earlier | V4.3.19 |
| GL-SFT1200 Opal | ||
| GL-MT1300 Beryl | ||
| GL-E750/GL-E750V2 Mudi | V4.3.17 and earlier | V4.3.18 |
| GL-XE300 Puli | ||
| GL-AR750 Creta | ||
| GL-AR750S-EXT Slate | ||
| GL-AR300M Shadow | ||
| GL-AR300M16 Shadow | ||
| GL-B1300 Convexa-B | ||
| GL-MT300N-V2 Mango |
CVE-2024-45259
- Summary: Unauthorized file delete of router in some specific conditions
- Credit to: J. Simpson
CVE-2024-45260
- Summary: Unauthorized access of router admin right
- Credit to: Bandar Alharbi https://github.com/aggressor0
CVE-2024-45261
- Summary: Bypassing authentication of router in some specific conditions
- Credit to: Bandar Alharbi https://github.com/aggressor0
CVE-2024-45262
- Summary: Directory traversal vulnerabilities of router in some specific APIs
- Credit to: Baris Akkaya
CVE-2024-45263
- Summary: Unauthorized file upload of router in some specific interfaces
- Credit to: Baris Akkaya
This is annoucement other than discussion. To report Security bugs, pls send email to security@gl-inet.com. We have a 90-day policy for vulnerability disclosure.