cbcvebase.
CVE-2024-27356
published 2024-02-27

CVE-2024-27356: An issue was discovered on certain GL-iNet devices. Attackers can download files such as logs via commands, potentially obtaining critical user information…

PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
23.91%
97.5th percentile
An issue was discovered on certain GL-iNet devices. Attackers can download files such as logs via commands, potentially obtaining critical user information. This affects MT6000 4.5.5, XE3000 4.4.4, X3000 4.4.5, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, XE300 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-v2 4.3.10, X300B 3.217, S1300 3.216, SF1200 3.216, MV1000 3.216, N300 3.216, B2200 3.216, and X1200 3.203.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
gl-ineta1300_firmware
gl-inetar300m16_firmware
gl-inetar300m_firmware
gl-inetar750_firmware
gl-inetar750s_firmware
gl-inetax1800_firmware
gl-inetaxt1800_firmware
gl-inetb1300_firmware
gl-inetb2200_firmware
gl-inetmt1300_firmware
gl-inetmt2500_firmware
gl-inetmt3000_firmware
gl-inetmt300n-v2_firmware
gl-inetmt6000_firmware
gl-inetmv1000_firmware
gl-inetn300_firmware
gl-inets1300_firmware
gl-inets200_firmware
gl-inetsf1200_firmware
gl-inetsft1200_firmware
gl-inetx1200_firmware
gl-inetx3000_firmware
gl-inetx300b_firmware
gl-inetx750_firmware
gl-inetxe3000_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/js/logread.tar
url/rpc
url/views/gl-sdk4-ui-login.common.js
url/openvpn/ovpn/client.ovpn
command{"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]}
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GL.iNet request for logread.tar (Possible CVE-2024-27356)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/js/logread.tar"; fast_pattern; reference:cve,2024-27356; reference:url,github.com/aggressor0/GL.iNet-Exploits/tree/main; classtype:attempted-admin; sid:2065918; rev:1; metadata:affected_product GL_iNet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_26, cve CVE_2024_27356, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GL.iNet request for client.ovpn (Possible CVE-2024-27356)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/openvpn/ovpn/client.ovpn"; fast_pattern; reference:cve,2024-27356; reference:url,github.com/aggressor0/GL.iNet-Exploits/tree/main; classtype:attempted-admin; sid:2065919; rev:1; metadata:affected_product GL_iNet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_26, cve CVE_2024_27356, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Fingerprint unauthenticated GL.iNet devices by checking for HTTP 500 response with 'nginx' in body on POST to /rpc, then confirming 'Admin-Token' string in /views/gl-sdk4-ui-login.common.js
  • Exploit uses a distinctive User-Agent 'Mozilla/5.0 (compatible;contxbot/1.0)' — alert on this UA in HTTP logs targeting GL.iNet admin panel paths
  • Unauthenticated HTTP GET to /js/logread.tar is the primary exploitation indicator; monitor for this request on GL.iNet admin interfaces
  • Unauthenticated HTTP GET to /openvpn/ovpn/client.ovpn can expose VPN credentials; monitor for this path on GL.iNet devices
  • Google Dork 'intitle:"GL.iNet Admin Panel"' can be used to identify exposed devices; use this to scope your asset inventory
  • The exploit checks firmware version starting with '4.' to confirm vulnerability; correlate firmware version from /rpc check_initialized response against affected version list
  • Downloaded logread.tar leaks credentials, registered Device ID, and other confidential info; treat any outbound transfer of this file as a high-severity data exfiltration event
  • ·Snort rules (sid:2065918, sid:2065919) are scoped to plaintext (non-TLS) traffic only; exploitation over HTTPS will not be detected by these signatures
  • ·The exploit targets firmware versions starting with '4.' across a wide range of GL.iNet models; older 3.x firmware versions are also listed as affected in the NVD advisory
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.