#VU108916 Buffer overflow in GL.iNet products - CVE-2025-2851
Published: May 12, 2025
Vulnerability identifier: #VU108916
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-2851
CWE-ID: CWE-119
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
GL-AX1800 Flint
GL-AXT1800 Slate AX
GL-MT2500 Brume 2
GL-MT3000 Beryl AX
GL-MT6000 Flint 2
GL-B3000 Marble
GL-A1300 Slate Plus
GL-X300B Collie
GL-X3000 Spitz AX
GL-XE3000 Puli AX
GL-SFT1200 Opal
GL-X750 Spitz
GL-MT1300 Beryl
GL-E750/GL-E750V2 Mudi
GL-XE300 Puli
GL-AR750 Creta
GL-AR750S-EXT Slate
GL-AR300M Shadow
GL-AR300M16 Shadow
GL-B1300 Convexa-B
GL-MT300N-V2 Mango
GL-BE3600 Slate 7
GL-AX1800 Flint
GL-AXT1800 Slate AX
GL-MT2500 Brume 2
GL-MT3000 Beryl AX
GL-MT6000 Flint 2
GL-B3000 Marble
GL-A1300 Slate Plus
GL-X300B Collie
GL-X3000 Spitz AX
GL-XE3000 Puli AX
GL-SFT1200 Opal
GL-X750 Spitz
GL-MT1300 Beryl
GL-E750/GL-E750V2 Mudi
GL-XE300 Puli
GL-AR750 Creta
GL-AR750S-EXT Slate
GL-AR300M Shadow
GL-AR300M16 Shadow
GL-B1300 Convexa-B
GL-MT300N-V2 Mango
GL-BE3600 Slate 7
Software vendor:
GL.iNet
GL.iNet
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the rpc in the plugins.so library. A remote user on the local network can trigger memory corruption and execute arbitrary code on the target system.
Remediation
Install updates from vendor's website.