CVE-2024-39225
published 2024-08-06CVE-2024-39225: GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
14.53%
96.2th percentile
GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a remote code execution (RCE) vulnerability.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gl-inet | a1300_firmware | — | — |
| gl-inet | ap1300_firmware | — | — |
| gl-inet | ar300m16_firmware | — | — |
| gl-inet | ar300m_firmware | — | — |
| gl-inet | ar750_firmware | — | — |
| gl-inet | ar750s_firmware | — | — |
| gl-inet | ax1800_firmware | — | — |
| gl-inet | axt1800_firmware | — | — |
| gl-inet | b1300_firmware | — | — |
| gl-inet | b2200_firmware | — | — |
| gl-inet | e750_firmware | — | — |
| gl-inet | mt1300_firmware | — | — |
| gl-inet | mt2500_firmware | — | — |
| gl-inet | mt3000_firmware | — | — |
| gl-inet | mt300n-v2_firmware | — | — |
| gl-inet | mt6000_firmware | — | — |
| gl-inet | mv1000_firmware | — | — |
| gl-inet | mv1000w_firmware | — | — |
| gl-inet | n300_firmware | — | — |
| gl-inet | s1300_firmware | — | — |
| gl-inet | sf1200_firmware | — | — |
| gl-inet | sft1200_firmware | — | — |
| gl-inet | usb150_firmware | — | — |
| gl-inet | x3000_firmware | — | — |
| gl-inet | x300b_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/rpc
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GL.iNet Possible admin sid brute force attempt (CVE-2024-39225)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:4; content:"/rpc"; http.request_body; content:"|22|jsonrpc|22 3a 22|2.0|22|"; content:"|22|id|22 3a|"; content:"|22|method|22 3a 22|alive|22|"; content:"|22|params|22 3a 7b 22|sid|22 3a|"; fast_pattern; threshold: type both, track by_src, count 5, seconds 60; reference:cve,2024-39225; reference:url,github.com/aggressor0/GL.iNet-Exploits/tree/main; classtype:attempted-admin; sid:2065925; rev:1; metadata:affected_product GL_iNet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_26, cve CVE_2024_39225, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic targets HTTP POST to the /rpc endpoint (exactly 4 bytes in URI) with a JSON-RPC 2.0 body calling the 'alive' method and supplying a 'sid' parameter — consistent with session ID brute-forcing to achieve pre-auth RCE.
- →Threshold of 5 POST /rpc requests within 60 seconds from the same source IP is the detection trigger for brute-force activity.
- →The attack is classified under MITRE ATT&CK T1190 (Exploit Public-Facing Application) with Initial Access tactic (TA0001), targeting GL.iNet networking equipment over plaintext HTTP.
- ·The Snort/Suricata rule only fires on plaintext HTTP traffic (tls_state plaintext); if the GL.iNet admin interface is accessed over HTTPS/TLS, this rule will not trigger and additional TLS-inspection or decryption is required.
- ·Rule confidence is rated Medium by Proofpoint Nexus, meaning false positives are possible; tune the threshold (count/seconds) to your environment before deploying in block mode.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS GL.iNet Possible admin sid brute force attempt (CVE-2024-39225)
suricata·2025-11-26·CVSS 9.8
CVE-2024-39225 [CRITICAL] ET WEB_SPECIFIC_APPS GL.iNet Possible admin sid brute force attempt (CVE-2024-39225)
ET WEB_SPECIFIC_APPS GL.iNet Possible admin sid brute force attempt (CVE-2024-39225)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GL.iNet Possible admin sid brute force attempt (CVE-2024-39225)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:4; content:"/rpc"; http.request_body; content:"|22|jsonrpc|22 3a 22|2.0|22|"; content:"|22|id|22 3a|"; content:"|22|method|22 3a 22|alive|22|"; content:"|22|params|22 3a 7b 22|sid|22 3a|"; fast_pattern; threshold: type both, track by_src, count 5, seconds 60; reference:cve,2024-39225; reference:url,github.com/aggressor0/GL.iNet-Exploits/tree/main; classtype:attempted-admin; sid:2065925; rev:1; metadata:affected_product GL_iNet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_1
No public exploits indexed.
No writeups or analysis indexed.
2024-08-06
Published