CVE-2024-27356
📋 TL;DR
This vulnerability allows attackers to download files including logs from affected GL-iNet devices via commands, potentially exposing sensitive user information. It affects multiple GL-iNet router models running specific firmware versions. The issue stems from improper access controls that permit unauthorized file downloads.
💻 Affected Systems
- GL-iNet MT6000
- GL-iNet XE3000
- GL-iNet X3000
- GL-iNet MT3000
- GL-iNet MT2500
- GL-iNet AXT1800
- GL-iNet AX1800
- GL-iNet A1300
- GL-iNet S200
- GL-iNet X750
- GL-iNet SFT1200
- GL-iNet XE300
- GL-iNet MT1300
- GL-iNet AR750
- GL-iNet AR750S
- GL-iNet AR300M
- GL-iNet AR300M16
- GL-iNet B1300
- GL-iNet MT300N-v2
- GL-iNet X300B
- GL-iNet S1300
- GL-iNet SF1200
- GL-iNet MV1000
- GL-iNet N300
- GL-iNet B2200
- GL-iNet X1200
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could download sensitive logs containing user credentials, network configurations, or personal data, leading to complete device compromise and lateral movement into connected networks.
Likely Case
Attackers download system logs containing device information, partial network details, and potentially some user activity data, enabling reconnaissance for further attacks.
If Mitigated
With proper network segmentation and access controls, impact is limited to the affected device only, preventing lateral movement to other systems.
🎯 Exploit Status
The vulnerability requires command execution capability, suggesting attackers need some level of access to the device interface. The GitHub repository contains technical details about the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GL-iNet firmware updates for each model
Vendor Advisory: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md
Restart Required: Yes
Instructions:
1. Log into GL-iNet device web interface. 2. Navigate to System > Firmware. 3. Check for available updates. 4. Download and install latest firmware. 5. Reboot device after installation.
🔧 Temporary Workarounds
Restrict network access
allLimit access to device administration interface to trusted IP addresses only
Disable remote administration
allTurn off remote administration features if not required
🧯 If You Can't Patch
- Isolate affected devices in separate network segments
- Implement strict firewall rules to limit inbound connections to device interfaces
🔍 How to Verify
Check if Vulnerable:
Check device firmware version in web interface under System > Firmware and compare with affected versions listCheck Version:
Login to device web interface and navigate to System > Firmware to view current versionVerify Fix Applied:
Verify firmware version has been updated to a version not listed in the CVE description📡 Detection & Monitoring
Log Indicators:
- Unusual file download requests in device logs
- Multiple failed authentication attempts followed by file access
Network Indicators:
- Unusual traffic patterns to device administration ports
- File download requests to device interfaces from unexpected sources
SIEM Query:
source="gl-inet-device" AND (event="file_download" OR event="log_access") AND user!="authorized_user"