Strix
26.1K

CVE-2024-28077

HIGHCVSS 7.5/10EPSS 0.43%

Last modified

CVE-2024-28077 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A denial-of-service issue was discovered on certain GL-iNet devices. Some websites can detect devices exposed to the external network through DDNS, and consequently obtain the IP addresses and ports of devices that are exposed. EPSS estimates a 0.43% chance of exploitation in the next 30 days.

Description

A denial-of-service issue was discovered on certain GL-iNet devices. Some websites can detect devices exposed to the external network through DDNS, and consequently obtain the IP addresses and ports of devices that are exposed. By using special usernames and special characters (such as half parentheses or square brackets), one can call the login interface and cause the session-management program to crash, resulting in customers being unable to log into their devices. This affects MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10, and XE300 4.3.16.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
0.43%

34.4th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
Gl-InetMt6000 Firmware4.5.6
Gl-InetX3000 Firmware4.4.6
Gl-InetXe3000 Firmware4.4.4
Gl-InetA1300 Firmware4.5.0
Gl-InetAx1800 Firmware4.5.0
Gl-InetAxt1800 Firmware4.5.0
Gl-InetMt2500 Firmware4.5.0
Gl-InetMt3000 Firmware4.5.0
Gl-InetXe300 Firmware4.3.16
Gl-InetX750 Firmware4.3.7
Gl-InetSft1200 Firmware4.3.7
Gl-InetAr300m Firmware4.3.10
Gl-InetAr300m16 Firmware4.3.10
Gl-InetAr750 Firmware4.3.10
Gl-InetAr750s Firmware4.3.10
Gl-InetB1300 Firmware4.3.10
Gl-InetMt1300 Firmware4.3.10
Gl-InetMt300n-V2 Firmware4.3.10

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2024-28077?
A denial-of-service issue was discovered on certain GL-iNet devices. Some websites can detect devices exposed to the external network through DDNS, and consequently obtain the IP addresses and ports of devices that are exposed. By using special usernames and special characters (such as half parentheses or square brackets), one can call the login interface and cause the session-management program to crash, resulting in customers being unable to log into their devices. This affects MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10, and XE300 4.3.16.
How severe is CVE-2024-28077?
CVE-2024-28077 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.43% probability of exploitation in the next 30 days.
How do I fix CVE-2024-28077?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-28077?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST