Arbitrary Command Injection Vulnerability in GL.iNET Routers
CVE-2023-46454

9.8CRITICAL

Key Information:

Vendor: GL.iNET
Vendor: CVE Published:; 12 December 2023

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 15%

What is CVE-2023-46454?

A vulnerability in GL.iNET GL-AR300M routers running firmware version 4.3.7 allows attackers to execute arbitrary shell commands. This exploit can be facilitated through a specially crafted package name within the router's package information functionality, posing significant security risks to affected users. Proper precautions and updates are critical to protect against potential exploitation.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

GL.iNet-Multiple-Vulnerabilities
Created by cyberaz0r

References

https://cyberaz0r.info/2023/11/glinet-multiple-vulnerabil...

EPSS Score

15% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2023
🟡
Public PoC available
Dec 8, 2023
👾
Exploit known to exist
Dec 8, 2023
Vulnerability Reserved
Oct 23, 2023

CVE-2023-46454 Data

JSON