CVE-2023-46454
Published: 12 December 2023
Summary
CVE-2023-46454 is a critical-severity OS Command Injection (CWE-78) vulnerability in Gl-Inet Gl-Ar300M Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-46454 is a command injection vulnerability (CWE-78) affecting GL.iNET GL-AR300M routers running firmware version 4.3.7. The issue resides in the package information functionality, where an attacker-supplied package name is not properly sanitized before being passed to a shell command, enabling arbitrary command execution.
The vulnerability carries a CVSS v3.1 score of 9.8 and can be exploited remotely by unauthenticated attackers over the network with no user interaction required. Successful exploitation grants the attacker full control over the device, allowing arbitrary code execution that can compromise confidentiality, integrity, and availability.
The referenced technical write-up details the flaw alongside other issues in GL.iNET products but does not describe vendor patches or specific mitigation steps. The associated EPSS score has remained flat at 0.1567 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-50670
Vulnerability details
In GL.iNET GL-AR300M routers with firmware v4.3.7, it is possible to inject arbitrary shell commands through a crafted package name in the package information functionality.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.