CVE-2024-45261
📋 TL;DR
This vulnerability allows attackers to bypass authentication on affected GL-iNet routers by exploiting improperly generated session IDs (SIDs) that aren't tied to specific users. Attackers can generate valid SIDs, escalate privileges, and gain full administrative control of the device. Users of GL-iNet MT6000, MT3000, MT2500, AXT1800, and AX1800 routers running version 4.6.2 are affected.
💻 Affected Systems
- GL-iNet MT6000
- GL-iNet MT3000
- GL-iNet MT2500
- GL-iNet AXT1800
- GL-iNet AX1800
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the router allowing attackers to intercept all network traffic, modify DNS settings, install malware, and pivot to internal network devices.
Likely Case
Unauthorized administrative access to the router enabling network monitoring, configuration changes, and potential credential theft from connected devices.
If Mitigated
Limited impact if strong network segmentation and monitoring are in place, though router compromise still poses significant risk.
🎯 Exploit Status
The GitHub reference contains technical details that could be used to create working exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 4.6.2
Vendor Advisory: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Bypassing%20Login%20Mechanism%20with%20Passwordless%20User%20Login.md
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to System > Firmware. 3. Check for updates and install latest version. 4. Reboot router after update completes.
🔧 Temporary Workarounds
Disable remote administration
allPrevents external attackers from accessing the admin interface
Change default admin credentials
allWhile not a complete fix, reduces attack surface
🧯 If You Can't Patch
- Isolate affected routers in separate VLAN with strict firewall rules
- Implement network monitoring for unusual authentication attempts to router admin interface
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router admin interface under System > FirmwareCheck Version:
ssh admin@router-ip 'cat /etc/version' or check web interfaceVerify Fix Applied:
Verify firmware version is newer than 4.6.2 and test authentication with multiple users📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from different IPs with same SID
- Unauthorized admin access from unexpected sources
Network Indicators:
- Unusual traffic patterns to router admin interface
- Multiple authentication attempts in short time
SIEM Query:
source="router-logs" AND (event="authentication_success" AND count() > 1 BY session_id)