Cyber Resilience

CVE-2023-46455

High

Published: 12 December 2023

Published
12 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.4011 97.4th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-46455 is a high-severity Path Traversal (CWE-22) vulnerability in Gl-Inet Gl-Ar300M Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-46455 is a path traversal vulnerability, tracked under CWE-22, that affects the OpenVPN client file upload functionality in GL.iNET GL-AR300M routers running firmware version 4.3.7. The flaw permits an attacker to write arbitrary files on the device and carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and high integrity impact without requiring authentication or user interaction.

An unauthenticated remote attacker can exploit the issue by submitting a crafted file upload request that traverses directories, enabling the placement of malicious files on the router filesystem and thereby compromising device integrity.

The EPSS score for this CVE reached a peak of 0.5089 on 2025-12-11 before receding to the current value of 0.4011. Public references include a technical analysis at cyberaz0r.info detailing multiple GL.iNET issues and the vendor site at gl-inet.com.

EU & UK References

Vulnerability details

In GL.iNET GL-AR300M routers with firmware v4.3.7 it is possible to write arbitrary files through a path traversal attack in the OpenVPN client file upload functionality.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gl-inet
gl-ar300m firmware
4.3.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References