cbcvebase.
CVE-2024-39226
published 2024-08-06

CVE-2024-39226: GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
20.56%
97.2th percentile
GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a vulnerability can be exploited to manipulate routers by passing malicious shell commands through the s2s API.

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
gl-ineta1300_firmware
gl-inetap1300_firmware
gl-inetar300m16_firmware
gl-inetar300m_firmware
gl-inetar750_firmware
gl-inetar750s_firmware
gl-inetax1800_firmware
gl-inetaxt1800_firmware
gl-inetb1300_firmware
gl-inetb2200_firmware
gl-inete750_firmware
gl-inetmt1300_firmware
gl-inetmt2500_firmware
gl-inetmt3000_firmware
gl-inetmt300n-v2_firmware
gl-inetmt6000_firmware
gl-inetmv1000_firmware
gl-inetmv1000w_firmware
gl-inetn300_firmware
gl-inets1300_firmware
gl-inetsf1200_firmware
gl-inetsft1200_firmware
gl-inetusb150_firmware
gl-inetx3000_firmware
gl-inetx300b_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/glc
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLiNet GL-AX1800 s2s API Command Injection Attempt (CVE-2024-39226)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:12; content:"/cgi-bin/glc"; http.request_body; content:"|22|object|22 3a 20 22|s2s|22|"; fast_pattern; content:"|22|method|22 3a 20 22|enable_echo_server|22|"; content:"|22|args|22 3a|"; content:"|22|port|22 3a|"; pcre:"/^(?:\x22|\x20\x22)[^\x26\x22\x2c\x7d]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,yhuanhuan01.github.io; reference:cve,2024-39226; classtype:attempted-admin; sid:2062265; rev:1; metadata:affected_product GL_iNet, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_05_12, cve CVE_2024_39226, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|22|object|22 3a 20 22|s2s|22|
bytes
|22|method|22 3a 20 22|enable_echo_server|22|
  • Exploit targets HTTP POST requests to the /cgi-bin/glc endpoint (URI length exactly 12 bytes) with a JSON body specifying the 's2s' object and 'enable_echo_server' method — look for shell metacharacters (;, newline, backtick, pipe, $) injected into the 'port' argument field.
  • Shell injection characters to detect in the 'port' value of the s2s API request body: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • The vulnerability is exploited by passing malicious shell commands through the s2s API, targeting GL-iNet routers across multiple firmware lines.
  • Rule is applicable in both Perimeter and Internal deployment contexts, indicating the attack surface includes both internet-facing and LAN-side router management interfaces.
  • If TLS is in use, decryption (tls_state TLSDecrypt) is required for the Snort rule to fire.
  • ·The Snort/Suricata rule (sid:2062265) requires TLS inspection to be effective when the management interface is accessed over HTTPS — without TLS decryption the rule will not trigger.
  • ·Affected firmware versions span multiple product lines; ensure version-based blocking or patching covers all listed variants: AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.