CVE-2024-39228

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a shell injection vulnerability via the interface check_ovpn_client_config and check_config.

Published: Aug 6, 2024
Updated: Aug 16, 2024
CVE: CVE-2024-39228
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
gl-inet / mt6000_firmware	4.5.8	4.5.8.x
gl-inet / a1300_firmware	4.5.16	4.5.16.x
gl-inet / x300b_firmware	4.5.16	4.5.16.x
gl-inet / ax1800_firmware	4.5.16	4.5.16.x
gl-inet / axt1800_firmware	4.5.16	4.5.16.x
gl-inet / mt2500_firmware	4.5.16	4.5.16.x
gl-inet / mt3000_firmware	4.5.16	4.5.16.x
gl-inet / x3000_firmware	4.4.8	4.4.8.x
gl-inet / xe3000_firmware	4.4.8	4.4.8.x
gl-inet / xe300_firmware	4.3.16	4.3.16.x
gl-inet / e750_firmware	4.3.12	4.3.12.x
gl-inet / x750_firmware	4.3.11	4.3.11.x
gl-inet / sft1200_firmware	4.3.11	4.3.11.x
gl-inet / ar300m_firmware	4.3.11	4.3.11.x
gl-inet / ar300m16_firmware	4.3.11	4.3.11.x
gl-inet / ar750_firmware	4.3.11	4.3.11.x
gl-inet / ar750s_firmware	4.3.11	4.3.11.x
gl-inet / b1300_firmware	4.3.11	4.3.11.x
gl-inet / mt1300_firmware	4.3.11	4.3.11.x
gl-inet / mt300n-v2_firmware	4.3.11	4.3.11.x
gl-inet / ap1300_firmware	3.217	3.217.x
gl-inet / b2200_firmware	3.216	3.216.x
gl-inet / mv1000_firmware	3.216	3.216.x
gl-inet / mv1000w_firmware	3.216	3.216.x
gl-inet / usb150_firmware	3.216	3.216.x
gl-inet / sf1200_firmware	3.216	3.216.x
gl-inet / n300_firmware	3.216	3.216.x
gl-inet / s1300_firmware	3.216	3.216.x

Vulnerability Database

290,301

CVE-2024-39228