cbcvebase.
CVE-2023-50445
published 2023-12-28

CVE-2023-50445: Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2…

PriorityP279high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.12%
94.7th percentile
Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2 v4.3.7, AR750S v4.3.7, AR750 v4.3.7, AR300M v4.3.7, and B1300 v4.3.7., allows local attackers to execute arbitrary code via the get_system_log and get_crash_log functions of the logread module, as well as the upgrade_online function of the upgrade module.

Affected

12 ranges
VendorProductVersion rangeFixed in
gl-inetgl-a1300_firmware
gl-inetgl-ar300m_firmware
gl-inetgl-ar750_firmware
gl-inetgl-ar750s_firmware
gl-inetgl-ax1800_firmware
gl-inetgl-axt1800_firmware
gl-inetgl-b1300_firmware
gl-inetgl-mt1300_firmware
gl-inetgl-mt2500_firmware
gl-inetgl-mt3000_firmware
gl-inetgl-mt300n-v2_firmware
gl-inetgl-mt6000_firmware

Detection & IOCsextracted from sources · hover to see the quote

cookieAdmin-Token
othergl_system_log
othergl_crash_log
  • Monitor HTTP requests targeting the logread module's gl_system_log and gl_crash_log JSON interfaces on GL.iNet devices for shell metacharacters or injection payloads within JSON parameter values.
  • Detect presence or theft of the Admin-Token cookie/SID, especially when observed in requests that do not follow a normal authenticated login flow — may indicate chaining with CVE-2023-50919 auth bypass.
  • Alert on exploitation of the upgrade_online function in the upgrade module alongside get_system_log and get_crash_log in the logread module, as all three are identified injection vectors.
  • Prefer stageless Meterpreter payload signatures for detection; staged Meterpreter payloads may not complete successfully against this target, so staged payload network patterns are less reliable indicators.
  • ·Vulnerability scope is broad across many GL.iNet firmware versions and device models; version ranges differ per model, so version-based detection rules must account for each model's specific affected range.
  • ·This exploit can be chained with CVE-2023-50919 to achieve unauthenticated RCE; detections relying solely on authenticated session anomalies may miss the full attack chain.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.