CVE-2023-47463
📋 TL;DR
This CVE describes an unauthenticated remote code execution vulnerability in GL.iNet AX1800 routers. Attackers can execute arbitrary code without authentication by sending a crafted script to the gl_nas_sys authentication function. All users running affected firmware versions are vulnerable to complete system compromise.
💻 Affected Systems
- GL.iNet AX1800 router
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover: attacker gains root access, installs persistent malware, pivots to internal networks, and exfiltrates sensitive data.
Likely Case
Router compromise leading to man-in-the-middle attacks, credential theft, network surveillance, and botnet recruitment.
If Mitigated
Limited impact with proper network segmentation and firewall rules preventing external access to vulnerable services.
🎯 Exploit Status
Public GitHub repository contains detailed exploitation information. The vulnerability requires sending crafted requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.0 and later
Vendor Advisory: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/an%20unauthenticated%20remote%20code%20execution.md
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to System > Firmware Upgrade. 3. Check for updates and install version 4.5.0 or later. 4. Reboot router after installation completes.
🔧 Temporary Workarounds
Disable WAN access to admin interface
allPrevent external access to vulnerable authentication function by disabling WAN administration
Navigate to router admin interface > System > Administration > Disable 'Allow WAN Access'
Network segmentation and firewall rules
allIsolate router management interface from untrusted networks
Configure firewall to block external access to router management ports (typically 80, 443, 22)
🧯 If You Can't Patch
- Immediately isolate affected routers from internet access using firewall rules
- Implement strict network segmentation to limit lateral movement if router is compromised
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router admin interface under System > Firmware. If version is between 4.0.0 and 4.4.x, device is vulnerable.Check Version:
ssh admin@router-ip 'cat /etc/glversion' or check web interfaceVerify Fix Applied:
After updating, verify firmware version shows 4.5.0 or later in System > Firmware section.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts to gl_nas_sys function
- Unexpected process execution or system modifications
- Failed login attempts followed by successful command execution
Network Indicators:
- HTTP/HTTPS requests to router management interface containing script payloads
- Unusual outbound connections from router to external IPs
SIEM Query:
source="router-logs" AND ("gl_nas_sys" OR "unauthorized access" OR "command injection")