#VU108909 OS Command Injection in GL.iNet products - CVE-2024-57391
Published: May 12, 2025
Vulnerability identifier: #VU108909
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-57391
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
GL-AX1800 Flint
GL-AXT1800 Slate AX
GL-MT2500 Brume 2
GL-MT3000 Beryl AX
GL-MT6000 Flint 2
GL-B3000 Marble
GL-A1300 Slate Plus
GL-X300B Collie
GL-X3000 Spitz AX
GL-XE3000 Puli AX
GL-SFT1200 Opal
GL-X750 Spitz
GL-MT1300 Beryl
GL-E750/GL-E750V2 Mudi
GL-XE300 Puli
GL-AR750 Creta
GL-AR750S-EXT Slate
GL-AR300M Shadow
GL-AR300M16 Shadow
GL-B1300 Convexa-B
GL-MT300N-V2 Mango
GL-BE3600 Slate 7
GL-AX1800 Flint
GL-AXT1800 Slate AX
GL-MT2500 Brume 2
GL-MT3000 Beryl AX
GL-MT6000 Flint 2
GL-B3000 Marble
GL-A1300 Slate Plus
GL-X300B Collie
GL-X3000 Spitz AX
GL-XE3000 Puli AX
GL-SFT1200 Opal
GL-X750 Spitz
GL-MT1300 Beryl
GL-E750/GL-E750V2 Mudi
GL-XE300 Puli
GL-AR750 Creta
GL-AR750S-EXT Slate
GL-AR300M Shadow
GL-AR300M16 Shadow
GL-B1300 Convexa-B
GL-MT300N-V2 Mango
GL-BE3600 Slate 7
Software vendor:
GL.iNet
GL.iNet
Description
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote administrator can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.