CRITICAL🇵🇱 Wersja polska

CVE-2023-50921

CVSS 9.8v3.1pub. 2024-01-03upd. 2025-06-18

An issue was discovered on GL.iNet devices through 4.5.0. Attackers can invoke the add_user interface in the system module to gain root privileges. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.

🤖 AI Analysis
How it works

An attacker can remotely invoke the add_user interface in the device's system module without any authentication or user interaction. This mechanism improperly manages permissions (CWE-269), allowing the addition of a user with root privileges. As a result, the attacker gains full control over the device's operating system.

Impact

An attacker gains full root privileges on the device, enabling them to arbitrarily modify configuration, intercept network traffic, install malicious software, and use the device as an entry point for further expansion into the network.

Mitigation & patch

Patches available from the manufacturer should be applied in accordance with the references. Details regarding fixes have been published at: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Add_user_vulnerability.md. Until the update is applied, it is recommended to restrict access to the device management panel exclusively to trusted local networks and disable remote access to the administrative interface.

Who is affected

GL.iNet A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Gl Inet Gl A1300

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Gl A1300 Firmware

    OS
    Gl-Inet
    4.4.6
  • Gl Inet Gl Ar300m

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Gl Ar300m Firmware

    OS
    Gl-Inet
    4.3.7
  • Gl Inet Gl Ar750

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Gl Ar750 Firmware

    OS
    Gl-Inet
    4.3.7
  • Gl Inet Gl Ar750s

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Gl Ar750s Firmware

    OS
    Gl-Inet
    4.3.7
  • Gl Inet Gl Ax1800

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Gl Ax1800 Firmware

    OS
    Gl-Inet
    4.4.6
  • Gl Inet Gl Axt1800

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Gl Axt1800 Firmware

    OS
    Gl-Inet
    4.4.6
  • Gl Inet Gl B1300

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Gl B1300 Firmware

    OS
    Gl-Inet
    4.3.7
  • Gl Inet Gl Mt1300

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Gl Mt1300 Firmware

    OS
    Gl-Inet
    4.3.7
  • Gl Inet Gl Mt2500

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Gl Mt2500 Firmware

    OS
    Gl-Inet
    4.4.6
  • Gl Inet Gl Mt3000

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Gl Mt3000 Firmware

    OS
    Gl-Inet
    4.4.6
  • Gl Inet Gl Mt300n V2

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Gl Mt300n V2 Firmware

    OS
    Gl-Inet
    4.3.7
  • Gl Inet Gl Mt6000

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Gl Mt6000 Firmware

    OS
    Gl-Inet
    4.5.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-50919CRITICAL9.8PL ✓ten sam produkt

GL.iNet — Authentication Bypass w NGINX przez dopasowanie wzorców Lua

CVE-2023-46456CRITICAL9.8PL ✓ten sam produkt

GL.iNET GL-AR300M: command injection przez upload pliku konfiguracji OpenVPN

CVE-2023-46454CRITICAL9.8PL ✓ten sam produkt

Command injection w routerach GL.iNET GL-AR300M przez nazwę pakietu

CVE-2023-47463CRITICAL9.8PL ✓ten sam produkt

RCE w GL.iNet AX1800 przez błędne uprawnienia funkcji uwierzytelniania

CVE-2023-47462CRITICAL9.8PL ✓ten sam produkt

Nieprawidłowe uprawnienia w GL.iNet AX1800 umożliwiające zdalne wykonanie kodu