CVE-2024-27356
published 2024-02-27CVE-2024-27356: An issue was discovered on certain GL-iNet devices. Attackers can download files such as logs via commands, potentially obtaining critical user information…
PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
23.91%
97.5th percentile
An issue was discovered on certain GL-iNet devices. Attackers can download files such as logs via commands, potentially obtaining critical user information. This affects MT6000 4.5.5, XE3000 4.4.4, X3000 4.4.5, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, XE300 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-v2 4.3.10, X300B 3.217, S1300 3.216, SF1200 3.216, MV1000 3.216, N300 3.216, B2200 3.216, and X1200 3.203.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gl-inet | a1300_firmware | — | — |
| gl-inet | ar300m16_firmware | — | — |
| gl-inet | ar300m_firmware | — | — |
| gl-inet | ar750_firmware | — | — |
| gl-inet | ar750s_firmware | — | — |
| gl-inet | ax1800_firmware | — | — |
| gl-inet | axt1800_firmware | — | — |
| gl-inet | b1300_firmware | — | — |
| gl-inet | b2200_firmware | — | — |
| gl-inet | mt1300_firmware | — | — |
| gl-inet | mt2500_firmware | — | — |
| gl-inet | mt3000_firmware | — | — |
| gl-inet | mt300n-v2_firmware | — | — |
| gl-inet | mt6000_firmware | — | — |
| gl-inet | mv1000_firmware | — | — |
| gl-inet | n300_firmware | — | — |
| gl-inet | s1300_firmware | — | — |
| gl-inet | s200_firmware | — | — |
| gl-inet | sf1200_firmware | — | — |
| gl-inet | sft1200_firmware | — | — |
| gl-inet | x1200_firmware | — | — |
| gl-inet | x3000_firmware | — | — |
| gl-inet | x300b_firmware | — | — |
| gl-inet | x750_firmware | — | — |
| gl-inet | xe3000_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/openvpn/ovpn/client.ovpn
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GL.iNet request for logread.tar (Possible CVE-2024-27356)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/js/logread.tar"; fast_pattern; reference:cve,2024-27356; reference:url,github.com/aggressor0/GL.iNet-Exploits/tree/main; classtype:attempted-admin; sid:2065918; rev:1; metadata:affected_product GL_iNet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_26, cve CVE_2024_27356, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GL.iNet request for client.ovpn (Possible CVE-2024-27356)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/openvpn/ovpn/client.ovpn"; fast_pattern; reference:cve,2024-27356; reference:url,github.com/aggressor0/GL.iNet-Exploits/tree/main; classtype:attempted-admin; sid:2065919; rev:1; metadata:affected_product GL_iNet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_26, cve CVE_2024_27356, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Fingerprint unauthenticated GL.iNet devices by checking for HTTP 500 response with 'nginx' in body on POST to /rpc, then confirming 'Admin-Token' string in /views/gl-sdk4-ui-login.common.js ↗
- →Exploit uses a distinctive User-Agent 'Mozilla/5.0 (compatible;contxbot/1.0)' — alert on this UA in HTTP logs targeting GL.iNet admin panel paths ↗
- →Unauthenticated HTTP GET to /js/logread.tar is the primary exploitation indicator; monitor for this request on GL.iNet admin interfaces ↗
- →Unauthenticated HTTP GET to /openvpn/ovpn/client.ovpn can expose VPN credentials; monitor for this path on GL.iNet devices
- →Google Dork 'intitle:"GL.iNet Admin Panel"' can be used to identify exposed devices; use this to scope your asset inventory ↗
- →The exploit checks firmware version starting with '4.' to confirm vulnerability; correlate firmware version from /rpc check_initialized response against affected version list ↗
- →Downloaded logread.tar leaks credentials, registered Device ID, and other confidential info; treat any outbound transfer of this file as a high-severity data exfiltration event ↗
- ·Snort rules (sid:2065918, sid:2065919) are scoped to plaintext (non-TLS) traffic only; exploitation over HTTPS will not be detected by these signatures
- ·The exploit targets firmware versions starting with '4.' across a wide range of GL.iNet models; older 3.x firmware versions are also listed as affected in the NVD advisory ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS GL.iNet request for logread.tar (Possible CVE-2024-27356)
suricata·2025-11-26·CVSS 7.5
CVE-2024-27356 [HIGH] ET WEB_SPECIFIC_APPS GL.iNet request for logread.tar (Possible CVE-2024-27356)
ET WEB_SPECIFIC_APPS GL.iNet request for logread.tar (Possible CVE-2024-27356)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GL.iNet request for logread.tar (Possible CVE-2024-27356)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/js/logread.tar"; fast_pattern; reference:cve,2024-27356; reference:url,github.com/aggressor0/GL.iNet-Exploits/tree/main; classtype:attempted-admin; sid:2065918; rev:1; metadata:affected_product GL_iNet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_26, cve CVE_2024_27356, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_26, mitre_tactic_id T
Suricata
ET WEB_SPECIFIC_APPS GL.iNet request for client.ovpn (Possible CVE-2024-27356)
suricata·2025-11-26·CVSS 7.5
CVE-2024-27356 [HIGH] ET WEB_SPECIFIC_APPS GL.iNet request for client.ovpn (Possible CVE-2024-27356)
ET WEB_SPECIFIC_APPS GL.iNet request for client.ovpn (Possible CVE-2024-27356)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GL.iNet request for client.ovpn (Possible CVE-2024-27356)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/openvpn/ovpn/client.ovpn"; fast_pattern; reference:cve,2024-27356; reference:url,github.com/aggressor0/GL.iNet-Exploits/tree/main; classtype:attempted-admin; sid:2065919; rev:1; metadata:affected_product GL_iNet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_26, cve CVE_2024_27356, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_26, mitre_t
No writeups or analysis indexed.
2024-02-27
Published