cbcvebase.
CVE-2024-39228
published 2024-08-06

CVE-2024-39228: GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16…

PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.66%
47.0th percentile
GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a shell injection vulnerability via the interface check_ovpn_client_config and check_config.

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
gl-ineta1300_firmware
gl-inetap1300_firmware
gl-inetar300m16_firmware
gl-inetar300m_firmware
gl-inetar750_firmware
gl-inetar750s_firmware
gl-inetax1800_firmware
gl-inetaxt1800_firmware
gl-inetb1300_firmware
gl-inetb2200_firmware
gl-inete750_firmware
gl-inetmt1300_firmware
gl-inetmt2500_firmware
gl-inetmt3000_firmware
gl-inetmt300n-v2_firmware
gl-inetmt6000_firmware
gl-inetmv1000_firmware
gl-inetmv1000w_firmware
gl-inetn300_firmware
gl-inets1300_firmware
gl-inetsf1200_firmware
gl-inetsft1200_firmware
gl-inetusb150_firmware
gl-inetx3000_firmware
gl-inetx300b_firmware
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.