Strix
26.1K

CVE-2024-39227

CRITICALCVSS 9.8/10EPSS 1.19%

Last modified

CVE-2024-39227 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain insecure permissions in the endpoint /cgi-bin/glc. This vulnerability allows unauthenticated attackers to execute arbitrary code or possibly a directory traversal via crafted JSON data.. EPSS estimates a 1.19% chance of exploitation in the next 30 days.

Description

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain insecure permissions in the endpoint /cgi-bin/glc. This vulnerability allows unauthenticated attackers to execute arbitrary code or possibly a directory traversal via crafted JSON data.

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
1.19%

64.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Gl-InetMt6000 Firmware4.5.8
Gl-InetA1300 Firmware4.5.16
Gl-InetX300b Firmware4.5.16
Gl-InetAx1800 Firmware4.5.16
Gl-InetAxt1800 Firmware4.5.16
Gl-InetMt2500 Firmware4.5.16
Gl-InetMt3000 Firmware4.5.16
Gl-InetX3000 Firmware4.4.8
Gl-InetXe3000 Firmware4.4.8
Gl-InetXe300 Firmware4.3.16
Gl-InetE750 Firmware4.3.12
Gl-InetX750 Firmware4.3.11
Gl-InetSft1200 Firmware4.3.11
Gl-InetAr300m Firmware4.3.11
Gl-InetAr300m16 Firmware4.3.11
Gl-InetAr750 Firmware4.3.11
Gl-InetAr750s Firmware4.3.11
Gl-InetB1300 Firmware4.3.11
Gl-InetMt1300 Firmware4.3.11
Gl-InetMt300n-V2 Firmware4.3.11
Gl-InetAp1300 Firmware3.217
Gl-InetB2200 Firmware3.216
Gl-InetMv1000 Firmware3.216
Gl-InetMv1000w Firmware3.216
Gl-InetUsb150 Firmware3.216
Gl-InetSf1200 Firmware3.216
Gl-InetN300 Firmware3.216
Gl-InetS1300 Firmware3.216

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2024-39227?
GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain insecure permissions in the endpoint /cgi-bin/glc. This vulnerability allows unauthenticated attackers to execute arbitrary code or possibly a directory traversal via crafted JSON data.
How severe is CVE-2024-39227?
CVE-2024-39227 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 1.19% probability of exploitation in the next 30 days.
How do I fix CVE-2024-39227?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-39227?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST