CVE-2023-24261
Published: 21 June 2023
Summary
CVE-2023-24261 is a high-severity OS Command Injection (CWE-78) vulnerability in Gl-Inet Gl-E750 Firmware. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A vulnerability tracked as CVE-2023-24261 affects the GL.iNET GL-E750 Mudi router in firmware versions prior to v3.216. The flaw, classified under CWE-78, permits command injection and carries a CVSS 3.1 score of 7.2. It is triggered when an authenticated user submits a specially crafted POST request to the device.
An attacker who already possesses administrative credentials can send the malicious request over the network to execute arbitrary commands on the underlying operating system. Successful exploitation grants full control over the device, allowing the attacker to read or modify data, alter device behavior, and disrupt availability.
The affected firmware versions are those earlier than v3.216; the vendor indicates that updating to v3.216 resolves the issue. Public references consist of technical write-ups that detail the request format used to trigger the injection. The associated EPSS score has remained flat at 0.0664 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-28318
Vulnerability details
A vulnerability in GL.iNET GL-E750 Mudi before firmware v3.216 allows authenticated attackers to execute arbitrary code via a crafted POST request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.