CVE-2023-46453
published 2026-05-08CVE-2023-46453: Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
0.76%
50.8th percentile
Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-MT2500 GL-AXT1800 GL-X3000 and GL-SFT1200.
Detection & IOCsextracted from sources · hover to see the quote
command{"jsonrpc": "2.0", "method": "login", "params": {"username": "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+", "hash": "<md5>"}}↗
- →Detect POST requests to /rpc endpoint containing the SQLi+regex bypass username payload 'roo[^' or the pattern 'union selecT char(114,111,111,116)' in the JSON body. ↗
- →Monitor for JSON-RPC 'challenge' method calls to /rpc followed immediately by a 'login' method call from the same source IP, indicating automated exploitation of the two-stage auth bypass. ↗
- →Alert on JSON-RPC 'login' requests where the 'username' parameter contains regex metacharacters combined with SQL keywords (e.g., '[^', 'union', 'selecT', 'char('). ↗
- →Inspect /etc/shadow read patterns from the gl-ngx-session process; anomalous regex matches against shadow file entries (e.g., patterns containing ':[^:]+:[^:]+') may indicate active exploitation. ↗
- →Detect JSON-RPC 'call' method requests referencing 'system' / 'get_status' immediately after a successful login from an unexpected session ID, which may indicate post-exploitation enumeration. ↗
- ·The exploit MD5 hash used for authentication is deterministic and computable by any attacker once the nonce is retrieved, because the injected username causes the shadow file match to always return user ID '0'. The hash changes per nonce but the formula is fixed. ↗
- ·The vulnerability requires two separate injectable fields to work together: the username must simultaneously be a valid Lua regex (to match /etc/shadow) and a valid SQL injection payload (to return a valid aclgroup from the SQLite DB). Blocking only one vector is insufficient. ↗
- ·Affected firmware is version 4.3.7 across multiple GL.iNet device models; the vulnerability was patched in a release on 2023/11/08. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2026-05-08
Published