Cyber Resilience

CVE-2023-46454

CriticalRCE

Published: 12 December 2023

Published
12 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1567 94.9th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-46454 is a critical-severity OS Command Injection (CWE-78) vulnerability in Gl-Inet Gl-Ar300M Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-46454 is a command injection vulnerability (CWE-78) affecting GL.iNET GL-AR300M routers running firmware version 4.3.7. The issue resides in the package information functionality, where an attacker-supplied package name is not properly sanitized before being passed to a shell command, enabling arbitrary command execution.

The vulnerability carries a CVSS v3.1 score of 9.8 and can be exploited remotely by unauthenticated attackers over the network with no user interaction required. Successful exploitation grants the attacker full control over the device, allowing arbitrary code execution that can compromise confidentiality, integrity, and availability.

The referenced technical write-up details the flaw alongside other issues in GL.iNET products but does not describe vendor patches or specific mitigation steps. The associated EPSS score has remained flat at 0.1567 with no material increase since disclosure.

EU & UK References

Vulnerability details

In GL.iNET GL-AR300M routers with firmware v4.3.7, it is possible to inject arbitrary shell commands through a crafted package name in the package information functionality.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gl-inet
gl-ar300m firmware
4.3.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References