GL-iNet Routers Exposed to Critical Vulnerabilities: Urgent Firmware Updates Required
GL-iNet has recently issued a security advisory addressing multiple critical vulnerabilities in several of their router models. The vulnerabilities, tracked under CVE-2024-39225 through CVE-2024-39229 and CVE-2024-3661, expose users to severe risks, including unauthenticated remote code execution (RCE) and man-in-the-middle attacks. Users are strongly urged to update their devices to the latest firmware versions to mitigate these threats.
Key Vulnerabilities
- CVE-2024-39225 (CVSS 9.8): Unauthenticated Remote Code Execution (RCE)
- This critical vulnerability allows an unauthenticated attacker to gain RCE as a root user. Exploitation requires precise timing to match the security identifier (SID) during an active session.
- CVE-2024-39226 (CVSS 9.8): Missing Input Validation Leading to Arbitrary Code Execution
- This flaw allows attackers to manipulate routers by passing malicious shell commands through the s2s API, leading to arbitrary code execution.
- Impact: Full control over the device through command injection.
- CVE-2024-39227 (CVSS 9.8): Missing Authorization Checks and Directory Traversal
- This vulnerability permits direct access via HTTP to execute arbitrary methods within the C library, potentially leading to arbitrary code execution.
- Impact: Full system compromise via directory traversal and improper JSON data sanitization.
- CVE-2024-39228 (CVSS 9.8): Authenticated Remote Code Execution via Ovpn API
- Attackers can exploit this flaw by passing malicious shell commands through the Ovpn API, resulting in arbitrary code execution.
- Impact: Full control over the device after authentication through crafted configuration files and API calls.
- CVE-2024-39229: DDNS Binding IP Address Modification
- An issue allowing attackers to intercept communications via man-in-the-middle attacks when DDNS clients report data to the server.
- Impact: Potential interception and manipulation of network traffic.
- CVE-2024-3661 (CVSS 7.6): Tunnelvision Vulnerability via DHCP Option 121
- This vulnerability allows an attacker on the same local network to read, disrupt, or modify network traffic expected to be protected by a VPN.
- Impact: Leakage of traffic over the physical interface, undermining VPN security.
Affected Models and Firmware Versions
A wide range of GL-iNet router models are impacted, including popular ones like the Flint, Slate, Brume, and more.
| Model Number | Affected Firmware Version | Resolved Firmware Version |
| GL-MT6000 Flint 2 | V4.5.8 and earlier | V4.6.2 |
| GL-A1300 Slate Plus | V4.5.16 and earlier | V4.5.17 |
| GL-X300B Collie | ||
| GL-AX1800 Flint | V4.5.16 and earlier | V4.6.2 |
| GL-AXT1800 Slate AX | ||
| GL-MT2500 Brume 2 | ||
| GL-MT3000 Beryl AX | ||
| GL-X3000 Spitz AX | V4.4.8 and earlier | V4.4.9 |
| GL-XE3000 Puli AX | ||
| GL-XE300 Puli | V4.3.16 and earlier | V4.3.17 |
| GL-E750/GL-E750V2 Mudi | V4.3.12 and earlier | V4.3.17 |
| GL-X750 Spitz | V4.3.11 and earlier | V4.3.17 |
| GL-SFT1200 Opal | ||
| GL-AR300M Shadow | ||
| GL-AR300M16 Shadow | ||
| GL-AR750 Creta | ||
| GL-AR750S-EXT Slate | ||
| GL-B1300 Convexa-B | ||
| GL-MT1300 Beryl | ||
| GL-MT300N-V2 Mango | ||
| GL-AP1300 Cirrus | V3.217 and earlier | V3.218 |
| GL-B2200 Velica | V3.216 and earlier | V3.218 |
| GL-MV1000 Brume | ||
| GL-MV1000W Brume-W | ||
| GL-USB150 Microuter | ||
| GL-SF1200 | ||
| microuter-N300 | ||
| GL-S1300 Convexa-S |
Mitigating the Risk: Firmware Updates
GL-iNet has released firmware updates that address these vulnerabilities. Users must update their routers to the latest firmware versions as soon as possible to protect their networks from potential attacks. The updated firmware versions can be found on the GL-iNet website.
