Remote Code Execution in GL.iNet Devices
CVE-2023-50922

7.2HIGH

Key Information:

Vendor: GL.iNet
Status: Gl-mt1300 Firmware
Vendor: CVE Published:; 3 January 2024

What is CVE-2023-50922?

A security issue has been identified in GL.iNet routers, particularly impacting versions up to 4.5.0 across several models. Attackers gaining access to the AdminToken cookie can exploit this vulnerability to execute arbitrary code. This involves uploading a crontab-formatted file to a specific directory, which, once executed, can compromise the integrity and security of the device. The affected models include A1300, AX1800, and many others, posing serious risks for users relying on these products for secure communications.

References

https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Rem...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 3, 2024
Vulnerability Reserved
Dec 15, 2023

CVE-2023-50922 Data

JSON