cbcvebase.
CVE-2023-46455
published 2023-12-12

CVE-2023-46455: In GL.iNET GL-AR300M routers with firmware v4.3.7 it is possible to write arbitrary files through a path traversal attack in the OpenVPN client file upload…

PriorityP269high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
46.97%
98.7th percentile
In GL.iNET GL-AR300M routers with firmware v4.3.7 it is possible to write arbitrary files through a path traversal attack in the OpenVPN client file upload functionality.

Affected

1 ranges
VendorProductVersion rangeFixed in
gl-inetgl-ar300m_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /upload HTTP/1.1
path/upload
othershodan-query: title:"GL.iNet Admin Panel"
  • Monitor for HTTP POST requests to the /upload endpoint on GL.iNet devices, particularly multipart form-data submissions containing a 'path' field with path traversal sequences (e.g., '../') targeting locations outside /tmp.
  • Detect the exploit by looking for multipart form-data POST requests to /upload with the specific boundary value '---------------------------81419250823331111993422505835' in the Content-Type header.
  • Alert on HTTP 200 responses from GL.iNet /upload endpoint containing the string 'File uploaded successfully', which confirms successful exploitation of the path traversal file write.
  • The vulnerability is in the OpenVPN client file upload functionality; inspect multipart form fields 'sid', 'size', 'path', and 'file' for anomalous path values indicating traversal attempts.
  • Use Shodan or passive DNS to identify exposed GL.iNet admin panels as potential targets; the query 'title:"GL.iNet Admin Panel"' surfaces vulnerable devices.
  • ·The vulnerability affects GL.iNet GL-AR300M routers specifically on firmware version 4.3.7; devices on earlier versions may also be affected per the Nuclei template scope of '<= 4.3.7'.
  • ·The exploit is described as unauthenticated (PR:N in CVSS), meaning no prior authentication is required to reach the /upload endpoint and write arbitrary files.
  • ·The Nuclei template uses an auth_token variable, suggesting some deployments may require a session ID (sid) field in the multipart body; the token may be obtainable without credentials or via a separate unauthenticated step.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.