CVE-2023-50921
📋 TL;DR
This vulnerability allows attackers to invoke the add_user interface in the system module on GL.iNet devices to gain root privileges. It affects multiple GL.iNet router models running firmware versions through 4.5.0, enabling complete device compromise.
💻 Affected Systems
- GL.iNet A1300
- GL.iNet AX1800
- GL.iNet AXT1800
- GL.iNet MT3000
- GL.iNet MT2500
- GL.iNet MT6000
- GL.iNet MT1300
- GL.iNet MT300N-V2
- GL.iNet AR750S
- GL.iNet AR750
- GL.iNet AR300M
- GL.iNet B1300
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full root access to the device, allowing them to install persistent malware, intercept all network traffic, pivot to internal networks, and brick the device.
Likely Case
Remote attackers exploit the vulnerability to gain administrative control over the router, enabling traffic interception, DNS hijacking, and credential theft.
If Mitigated
With proper network segmentation and access controls, impact is limited to the compromised device only, preventing lateral movement.
🎯 Exploit Status
The vulnerability is documented in public GitHub repositories with technical details that could facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 4.5.0
Vendor Advisory: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Add_user_vulnerability.md
Restart Required: Yes
Instructions:
1. Log into GL.iNet router admin interface. 2. Navigate to System > Firmware Upgrade. 3. Check for and install latest firmware update. 4. Reboot the device after update completes.
🔧 Temporary Workarounds
Disable remote administration
allPrevents external attackers from accessing the vulnerable interface
Network segmentation
allIsolate GL.iNet devices on separate VLANs to limit attack surface
🧯 If You Can't Patch
- Remove internet-facing access and place behind firewall with strict inbound rules
- Implement network monitoring for suspicious authentication attempts and privilege escalation
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router admin interface under System > Status. If version is 4.5.0 or earlier on affected models, device is vulnerable.Check Version:
Login to router web interface and navigate to System > Status pageVerify Fix Applied:
After updating, verify firmware version shows higher than 4.5.0 in System > Status.📡 Detection & Monitoring
Log Indicators:
- Unexpected user account creation
- Root privilege escalation attempts
- Unauthorized access to system modules
Network Indicators:
- Unusual authentication requests to router admin interface
- Traffic patterns indicating router compromise
SIEM Query:
source="router.log" AND ("add_user" OR "privilege escalation" OR "root access")