CVE-2023-50445
published 2023-12-28CVE-2023-50445: Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2…
PriorityP279high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.12%
94.7th percentile
Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2 v4.3.7, AR750S v4.3.7, AR750 v4.3.7, AR300M v4.3.7, and B1300 v4.3.7., allows local attackers to execute arbitrary code via the get_system_log and get_crash_log functions of the logread module, as well as the upgrade_online function of the upgrade module.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gl-inet | gl-a1300_firmware | — | — |
| gl-inet | gl-ar300m_firmware | — | — |
| gl-inet | gl-ar750_firmware | — | — |
| gl-inet | gl-ar750s_firmware | — | — |
| gl-inet | gl-ax1800_firmware | — | — |
| gl-inet | gl-axt1800_firmware | — | — |
| gl-inet | gl-b1300_firmware | — | — |
| gl-inet | gl-mt1300_firmware | — | — |
| gl-inet | gl-mt2500_firmware | — | — |
| gl-inet | gl-mt3000_firmware | — | — |
| gl-inet | gl-mt300n-v2_firmware | — | — |
| gl-inet | gl-mt6000_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests targeting the logread module's gl_system_log and gl_crash_log JSON interfaces on GL.iNet devices for shell metacharacters or injection payloads within JSON parameter values. ↗
- →Detect presence or theft of the Admin-Token cookie/SID, especially when observed in requests that do not follow a normal authenticated login flow — may indicate chaining with CVE-2023-50919 auth bypass. ↗
- →Alert on exploitation of the upgrade_online function in the upgrade module alongside get_system_log and get_crash_log in the logread module, as all three are identified injection vectors. ↗
- →Prefer stageless Meterpreter payload signatures for detection; staged Meterpreter payloads may not complete successfully against this target, so staged payload network patterns are less reliable indicators. ↗
- ·Vulnerability scope is broad across many GL.iNet firmware versions and device models; version ranges differ per model, so version-based detection rules must account for each model's specific affected range. ↗
- ·This exploit can be chained with CVE-2023-50919 to achieve unauthenticated RCE; detections relying solely on authenticated session anomalies may miss the full attack chain. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r64h-95wm-rrfq: Shell Injection vulnerability GL
ghsa_unreviewed·2023-12-28
CVE-2023-50445 [HIGH] CWE-77 GHSA-r64h-95wm-rrfq: Shell Injection vulnerability GL
Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2 v4.3.7, AR750S v4.3.7, AR750 v4.3.7, AR300M v4.3.7, and B1300 v4.3.7., allows local attackers to execute arbitrary code via the get_system_log and get_crash_log functions of the logread module, as well as the upgrade_online function of the upgrade module.
VulnCheck
gl-inet gl-mt1300_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2023·CVSS 7.8
CVE-2023-50445 [HIGH] gl-inet gl-mt1300_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
gl-inet gl-mt1300_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2 v4.3.7, AR750S v4.3.7, AR750 v4.3.7, AR300M v4.3.7, and B1300 v4.3.7., allows local attackers to execute arbitrary code via the get_system_log and get_crash_log functions of the logread module, as well as the upgrade_online function of the upgrade module.
Affected: gl-inet gl-mt1300_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://hs-8813571.f.hubspotemail.net/hubfs/8813571
No detection rules found.
http://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.htmlhttps://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.mdhttp://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.htmlhttps://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md
2023-12-28
Published
Exploited in the wild