CVE-2023-46455
Published: 12 December 2023
Summary
CVE-2023-46455 is a high-severity Path Traversal (CWE-22) vulnerability in Gl-Inet Gl-Ar300M Firmware. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-46455 is a path traversal vulnerability, tracked under CWE-22, that affects the OpenVPN client file upload functionality in GL.iNET GL-AR300M routers running firmware version 4.3.7. The flaw permits an attacker to write arbitrary files on the device and carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and high integrity impact without requiring authentication or user interaction.
An unauthenticated remote attacker can exploit the issue by submitting a crafted file upload request that traverses directories, enabling the placement of malicious files on the router filesystem and thereby compromising device integrity.
The EPSS score for this CVE reached a peak of 0.5089 on 2025-12-11 before receding to the current value of 0.4011. Public references include a technical analysis at cyberaz0r.info detailing multiple GL.iNET issues and the vendor site at gl-inet.com.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-50671
Vulnerability details
In GL.iNET GL-AR300M routers with firmware v4.3.7 it is possible to write arbitrary files through a path traversal attack in the OpenVPN client file upload functionality.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.