An issue was discovered on GL.iNet devices through 4.5.0. Attackers can invoke the add_user interface in the system module to gain root privileges. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.
An attacker can remotely invoke the add_user interface in the device's system module without any authentication or user interaction. This mechanism improperly manages permissions (CWE-269), allowing the addition of a user with root privileges. As a result, the attacker gains full control over the device's operating system.
An attacker gains full root privileges on the device, enabling them to arbitrarily modify configuration, intercept network traffic, install malicious software, and use the device as an entry point for further expansion into the network.
Patches available from the manufacturer should be applied in accordance with the references. Details regarding fixes have been published at: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Add_user_vulnerability.md. Until the update is applied, it is recommended to restrict access to the device management panel exclusively to trusted local networks and disable remote access to the administrative interface.
GL.iNet A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGl Inet Gl A1300
HWGl-Inetwszystkie wersjeGl Inet Gl A1300 Firmware
OSGl-Inet4.4.6Gl Inet Gl Ar300m
HWGl-Inetwszystkie wersjeGl Inet Gl Ar300m Firmware
OSGl-Inet4.3.7Gl Inet Gl Ar750
HWGl-Inetwszystkie wersjeGl Inet Gl Ar750 Firmware
OSGl-Inet4.3.7Gl Inet Gl Ar750s
HWGl-Inetwszystkie wersjeGl Inet Gl Ar750s Firmware
OSGl-Inet4.3.7Gl Inet Gl Ax1800
HWGl-Inetwszystkie wersjeGl Inet Gl Ax1800 Firmware
OSGl-Inet4.4.6Gl Inet Gl Axt1800
HWGl-Inetwszystkie wersjeGl Inet Gl Axt1800 Firmware
OSGl-Inet4.4.6Gl Inet Gl B1300
HWGl-Inetwszystkie wersjeGl Inet Gl B1300 Firmware
OSGl-Inet4.3.7Gl Inet Gl Mt1300
HWGl-Inetwszystkie wersjeGl Inet Gl Mt1300 Firmware
OSGl-Inet4.3.7Gl Inet Gl Mt2500
HWGl-Inetwszystkie wersjeGl Inet Gl Mt2500 Firmware
OSGl-Inet4.4.6Gl Inet Gl Mt3000
HWGl-Inetwszystkie wersjeGl Inet Gl Mt3000 Firmware
OSGl-Inet4.4.6Gl Inet Gl Mt300n V2
HWGl-Inetwszystkie wersjeGl Inet Gl Mt300n V2 Firmware
OSGl-Inet4.3.7Gl Inet Gl Mt6000
HWGl-Inetwszystkie wersjeGl Inet Gl Mt6000 Firmware
OSGl-Inet4.5.0
Related vulnerabilities
GL.iNet — Authentication Bypass w NGINX przez dopasowanie wzorców Lua
GL.iNET GL-AR300M: command injection przez upload pliku konfiguracji OpenVPN
Command injection w routerach GL.iNET GL-AR300M przez nazwę pakietu
RCE w GL.iNet AX1800 przez błędne uprawnienia funkcji uwierzytelniania
Nieprawidłowe uprawnienia w GL.iNet AX1800 umożliwiające zdalne wykonanie kodu