Login Sign Up

CVE-2023-29778

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2023-29778 allows remote attackers to execute arbitrary operating system commands on GL.iNET MT3000 routers via command injection in the logread RPC endpoint. This vulnerability affects all users running vulnerable firmware versions, potentially giving attackers full control of affected devices.

💻 Affected Systems

Products:
  • GL.iNET MT3000
Versions: 4.1.0 Release 2
Operating Systems: OpenWrt-based firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web interface component oui-httpd; vulnerable in default configuration.

📦 What is this software?

Gl Mt3000 Firmware by Gl Inet

View all CVEs affecting Gl Mt3000 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, intercept network traffic, pivot to internal networks, or use device as botnet node.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, and network surveillance.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH - Directly accessible devices can be exploited remotely without authentication.
🏢 Internal Only: HIGH - Even internally, exploitation can lead to lateral movement and network compromise.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept demonstrates remote exploitation via HTTP request to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 4.1.0 Release 2

Vendor Advisory: http://glinet.com

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to System > Firmware. 3. Check for updates and install latest version. 4. Reboot router after update completes.

🔧 Temporary Workarounds

Disable web interface access

linux

Temporarily disable the vulnerable web interface component

/etc/init.d/oui-httpd stop
/etc/init.d/oui-httpd disable

Restrict network access

linux

Configure firewall to block external access to router web interface

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Isolate affected devices in separate VLAN with strict firewall rules
  • Implement network monitoring for exploitation attempts and unusual outbound connections

🔍 How to Verify

Check if Vulnerable:

Check if /usr/lib/oui-httpd/rpc/logread endpoint accepts command injection via crafted HTTP requests

Check Version:

cat /etc/glversion

Verify Fix Applied:

Verify firmware version is newer than 4.1.0 Release 2 and test endpoint no longer executes injected commands

📡 Detection & Monitoring

Log Indicators:

  • Unusual commands in system logs
  • HTTP requests to /usr/lib/oui-httpd/rpc/logread with shell metacharacters

Network Indicators:

  • HTTP POST requests to logread endpoint containing pipe characters or semicolons
  • Unexpected outbound connections from router

SIEM Query:

source="router_logs" AND (url="/usr/lib/oui-httpd/rpc/logread" AND (request CONTAINS "|" OR request CONTAINS ";" OR request CONTAINS "`"))

📊 Metadata

CVE ID: CVE-2023-29778
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: May 2, 2023
Last Updated: January 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29778, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)