CVE-2023-50919

Q: What is the severity of CVE-2023-50919?

CVE-2023-50919 has a CVSS score of 9.8 (CRITICAL). This CVE describes an NGINX authentication bypass vulnerability in GL.iNet router firmware that allows unauthenticated attackers to execute arbitrary commands. The flaw exists in Lua string pattern matching, enabling remote code execution without credentials. It affects multiple GL.iNet router models running vulnerable firmware versions.

9.8 CRITICAL

Remote Code Execution Authentication Bypass

📋 TL;DR

This CVE describes an NGINX authentication bypass vulnerability in GL.iNet router firmware that allows unauthenticated attackers to execute arbitrary commands. The flaw exists in Lua string pattern matching, enabling remote code execution without credentials. It affects multiple GL.iNet router models running vulnerable firmware versions.

💻 Affected Systems

Products:

GL.iNet A1300
GL.iNet AX1800
GL.iNet AXT1800
GL.iNet MT3000
GL.iNet MT2500
GL.iNet MT6000
GL.iNet MT1300
GL.iNet MT300N-V2
GL.iNet AR750S
GL.iNet AR750
GL.iNet AR300M
GL.iNet B1300

Versions: Before version 4.5.0 (specific affected versions: A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, B1300 4.3.7)

Operating Systems: GL.iNet custom firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices with default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent backdoors, intercept network traffic, pivot to internal networks, and use device as botnet node.

🟠

Likely Case

Unauthenticated remote command execution leading to device takeover, credential theft, and network surveillance.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict ingress filtering and network segmentation.

🌐 Internet-Facing: HIGH - Directly exposed devices can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to pivot through networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on Packet Storm Security. Exploitation requires no authentication and minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.0 and later

Vendor Advisory: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Authentication-bypass.md

Restart Required: Yes

Instructions:

1. Log into GL.iNet router admin interface. 2. Navigate to System > Firmware Upgrade. 3. Check for updates and upgrade to version 4.5.0 or later. 4. Reboot device after upgrade completes.

🔧 Temporary Workarounds

Disable remote administration

linux

Prevent external access to web administration interface

uci set glconfig.remote.enable='0'
uci commit glconfig
/etc/init.d/glconfig restart

Restrict access with firewall rules

linux

Limit access to router management interface to trusted IPs only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Isolate affected devices in separate VLAN with strict firewall rules
Implement network monitoring for unusual outbound connections from routers

🔍 How to Verify

Check if Vulnerable:

Check firmware version via admin interface at System > Firmware Upgrade or SSH command: cat /etc/glversion

Check Version:

cat /etc/glversion

Verify Fix Applied:

Verify firmware version is 4.5.0 or later. Test authentication bypass by attempting to access protected endpoints without credentials.

📡 Detection & Monitoring

Log Indicators:

Unusual Lua script execution in NGINX logs
Authentication bypass attempts in web server logs
Unexpected command execution via web interface

Network Indicators:

Unusual outbound connections from router to unknown IPs
Multiple failed authentication attempts followed by successful access

SIEM Query:

source="nginx" AND ("lua" OR "auth_bypass") OR source="router" AND event="command_execution"

📊 Metadata

CVE ID: CVE-2023-50919

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: January 12, 2024

Last Updated: June 3, 2025

🔗 References

http://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.html
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Authentication-bypass.md Exploit,Issue Tracking,Vendor Advisory
http://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.html
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Authentication-bypass.md Exploit,Issue Tracking,Vendor Advisory