CVE-2024-39228
📋 TL;DR
This CVE describes a shell injection vulnerability in GL-iNet router firmware that allows remote attackers to execute arbitrary commands with root privileges. The vulnerability exists in the OpenVPN configuration checking interfaces and affects multiple GL-iNet router models. Attackers can exploit this without authentication to gain complete control of affected devices.
💻 Affected Systems
- AR750
- AR750S
- AR300M
- AR300M16
- MT300N-V2
- B1300
- MT1300
- SFT1200
- X750
- MT3000
- MT2500
- AXT1800
- AX1800
- A1300
- X300B
- XE300
- E750
- AP1300
- S1300
- XE3000
- X3000
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install persistent backdoors, intercept all network traffic, pivot to internal networks, or use the device as part of a botnet.
Likely Case
Remote code execution leading to device takeover, credential theft, and network surveillance.
If Mitigated
Limited impact if devices are behind firewalls with restricted WAN access and proper network segmentation.
🎯 Exploit Status
The GitHub reference contains technical details and proof-of-concept. The high CVSS score and unauthenticated nature make weaponization likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor for latest firmware updates
Vendor Advisory: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Ovpn%20interface%20shell%20injection.md
Restart Required: Yes
Instructions:
1. Log into router web interface. 2. Navigate to System > Upgrade. 3. Check for firmware updates. 4. Download and install latest firmware. 5. Reboot router after installation.
🔧 Temporary Workarounds
Disable OpenVPN interface
allTemporarily disable OpenVPN functionality to remove attack surface
Navigate to VPN > OpenVPN in web interface and disable all OpenVPN clients/servers
Restrict web interface access
allLimit access to router administration interface
Configure firewall rules to restrict access to router IP on ports 80/443 to trusted IPs only
🧯 If You Can't Patch
- Move affected devices behind a firewall with strict inbound rules
- Disable WAN access to router administration interface entirely
🔍 How to Verify
Check if Vulnerable:
Check firmware version in web interface under System > Status. Compare with affected versions list.Check Version:
ssh admin@router-ip 'cat /etc/glversion' or check web interface System > StatusVerify Fix Applied:
After updating, verify firmware version shows a version higher than affected ones. Test OpenVPN configuration functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual commands in system logs
- Unexpected processes running
- OpenVPN configuration changes from unknown sources
Network Indicators:
- Unexpected outbound connections from router
- Traffic to known malicious IPs
- Port scans originating from router
SIEM Query:
source="router-logs" AND ("check_ovpn_client_config" OR "check_config" OR "shell injection")