CVE-2024-39227
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary code or perform directory traversal attacks on affected GL-iNet routers via the /cgi-bin/glc endpoint. Attackers can exploit insecure permissions by sending crafted JSON data without authentication. All users running vulnerable firmware versions on listed GL-iNet products are affected.
💻 Affected Systems
- AR750
- AR750S
- AR300M
- AR300M16
- MT300N-V2
- B1300
- MT1300
- SFT1200
- X750
- MT3000
- MT2500
- AXT1800
- AX1800
- A1300
- X300B
- XE300
- E750
- AP1300
- S1300
- XE3000
- X3000
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the router allowing persistent backdoor installation, network traffic interception, lateral movement to connected devices, and router bricking.
Likely Case
Remote code execution leading to router configuration changes, credential theft, DNS hijacking, and botnet recruitment.
If Mitigated
Limited impact if network segmentation isolates routers and strict firewall rules block external access to management interfaces.
🎯 Exploit Status
The vulnerability requires sending crafted JSON to a specific endpoint, which is straightforward for attackers with basic HTTP knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GL-iNet firmware updates for each model
Vendor Advisory: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Access%20to%20the%20C%20library%20without%20logging%20in.md
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to System > Firmware Upgrade. 3. Check for available updates. 4. Download and install latest firmware. 5. Reboot router after installation.
🔧 Temporary Workarounds
Block CGI endpoint access
linuxUse firewall rules to block external access to /cgi-bin/glc endpoint
iptables -A INPUT -p tcp --dport 80 -m string --string "/cgi-bin/glc" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/cgi-bin/glc" --algo bm -j DROP
Disable remote administration
allTurn off remote management access to router web interface
🧯 If You Can't Patch
- Segment affected routers on isolated VLANs with strict firewall rules
- Implement network monitoring for unusual traffic to /cgi-bin/glc endpoint
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router admin interface under System > Status, or run: cat /etc/glversionCheck Version:
cat /etc/glversionVerify Fix Applied:
Verify firmware version is updated beyond vulnerable versions listed, and test if /cgi-bin/glc endpoint requires authentication📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /cgi-bin/glc with JSON payloads
- Unusual process execution from web server user
- Failed authentication attempts followed by successful /cgi-bin/glc access
Network Indicators:
- Unusual outbound connections from router
- HTTP POST requests to /cgi-bin/glc from external IPs
- Sudden traffic spikes from router
SIEM Query:
source="router_logs" AND (uri="/cgi-bin/glc" OR method="POST" AND uri CONTAINS "glc")