An issue was discovered on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.
The authentication mechanism based on NGINX uses Lua patterns (Lua string pattern matching) for request verification. Incorrect implementation of these patterns allows crafting an HTTP request in such a way that access control is bypassed — an attacker gains access to protected resources without providing valid credentials. The vulnerability is remotely exploitable without the need for authentication, user interaction, or special privileges. According to the published exploit, it also enables remote command execution (RCE) on the device.
An attacker can gain full unauthorized access to the device's management interface, resulting in the ability to read configuration, modify network settings, and execute arbitrary operating system commands remotely (RCE).
GL.iNet device firmware should be updated to version 4.5.0 or newer. The manufacturer has published patch details in the repository: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Authentication-bypass.md. Until the patch is deployed, it is recommended to restrict access to the management interface only to trusted IP addresses and isolate devices from the public network.
GL.iNet devices with firmware prior to version 4.5.0: A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, B1300 4.3.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGl Inet Gl A1300
HWGl-Inetwszystkie wersjeGl Inet Gl A1300 Firmware
OSGl-Inet4.3.74.4.6Gl Inet Gl Ar300m
HWGl-Inetwszystkie wersjeGl Inet Gl Ar300m Firmware
OSGl-Inet4.3.74.4.6Gl Inet Gl Ar750
HWGl-Inetwszystkie wersjeGl Inet Gl Ar750 Firmware
OSGl-Inet4.3.74.4.6Gl Inet Gl Ar750s
HWGl-Inetwszystkie wersjeGl Inet Gl Ar750s Firmware
OSGl-Inet4.3.74.4.6Gl Inet Gl Ax1800
HWGl-Inetwszystkie wersjeGl Inet Gl Ax1800 Firmware
OSGl-Inet4.3.74.4.6Gl Inet Gl Axt1800
HWGl-Inetwszystkie wersjeGl Inet Gl Axt1800 Firmware
OSGl-Inet4.3.74.4.6Gl Inet Gl B1300
HWGl-Inetwszystkie wersjeGl Inet Gl B1300 Firmware
OSGl-Inet4.3.74.4.6Gl Inet Gl Mt1300
HWGl-Inetwszystkie wersjeGl Inet Gl Mt1300 Firmware
OSGl-Inet4.3.74.4.6Gl Inet Gl Mt2500
HWGl-Inetwszystkie wersjeGl Inet Gl Mt2500 Firmware
OSGl-Inet4.3.74.4.6Gl Inet Gl Mt3000
HWGl-Inetwszystkie wersjeGl Inet Gl Mt3000 Firmware
OSGl-Inet4.3.74.4.6Gl Inet Gl Mt300n V2
HWGl-Inetwszystkie wersjeGl Inet Gl Mt300n V2 Firmware
OSGl-Inet4.3.74.4.6Gl Inet Gl Mt6000
HWGl-Inetwszystkie wersjeGl Inet Gl Mt6000 Firmware
OSGl-Inet4.3.74.4.6
Related vulnerabilities
GL.iNet: privilege escalation przez interfejs add_user do uprawnień root
GL.iNET GL-AR300M: command injection przez upload pliku konfiguracji OpenVPN
Command injection w routerach GL.iNET GL-AR300M przez nazwę pakietu
RCE w GL.iNet AX1800 przez błędne uprawnienia funkcji uwierzytelniania
Nieprawidłowe uprawnienia w GL.iNet AX1800 umożliwiające zdalne wykonanie kodu