CVE-2024-45259
📋 TL;DR
This vulnerability allows attackers to delete arbitrary files on affected GL-iNet router devices by intercepting HTTP requests and manipulating the filename parameter in the download interface. Attackers can exploit this to disrupt device functionality or potentially escalate privileges. Users of specific GL-iNet router models running vulnerable firmware versions are affected.
💻 Affected Systems
- GL-iNet MT6000
- GL-iNet MT3000
- GL-iNet MT2500
- GL-iNet AXT1800
- GL-iNet AX1800
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise through deletion of critical system files, leading to persistent denial of service, privilege escalation, or device bricking requiring physical recovery.
Likely Case
Service disruption through deletion of configuration files, logs, or web interface components, causing temporary device unavailability until manual intervention.
If Mitigated
Limited impact if network segmentation prevents attacker access to management interface, with only authorized users able to trigger the vulnerability.
🎯 Exploit Status
Exploitation requires HTTP request interception/modification capability. The GitHub reference contains technical details demonstrating the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GL-iNet firmware updates > 4.6.2
Vendor Advisory: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Delete%20Any%20File%20via%20Download%20Interface.md
Restart Required: Yes
Instructions:
1. Log into GL-iNet web interface. 2. Navigate to System > Firmware Upgrade. 3. Check for available updates. 4. Download and install latest firmware. 5. Reboot device after installation.
🔧 Temporary Workarounds
Disable Web Management Interface
linuxPrevent HTTP access to the vulnerable interface
uci set glconfig.remote.enable='0'
uci commit glconfig
/etc/init.d/glconfig restart
Network Segmentation
linuxRestrict access to router management interface
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the router's management interface
- Monitor for unusual file deletion activity and maintain regular device configuration backups
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > Status) or SSH command: cat /etc/glversionCheck Version:
cat /etc/glversionVerify Fix Applied:
Confirm firmware version is greater than 4.6.2 and test that filename parameter manipulation no longer allows arbitrary file deletion📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP POST requests to download interface with modified filename parameters
- Unexpected file deletion events in system logs
Network Indicators:
- HTTP traffic to router management interface with manipulated download parameters
- Unusual file access patterns via HTTP
SIEM Query:
source="router_logs" AND (url_path="/cgi-bin/download" OR url_path="/download") AND (filename CONTAINS "/" OR filename CONTAINS "..")