Cyber Resilience

CVE-2024-39226

CriticalPublic PoCRCE

Published: 06 August 2024

Published
06 August 2024
Modified
12 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1364 94.4th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39226 is a critical-severity Path Traversal (CWE-22) vulnerability in Gl-Inet Mt6000 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-39226 affects multiple GL-iNet router models running firmware versions including AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4. The flaw is a command injection issue (with an associated path traversal component) in the s2s API that permits arbitrary shell command execution.

Unauthenticated remote attackers can supply crafted input to the s2s interface and thereby execute commands on the device. Successful exploitation grants full control over the router, allowing arbitrary code execution with impacts to confidentiality, integrity, and availability.

The single disclosed reference is a GitHub advisory that documents the s2s interface shell injection vector but does not detail patches or workarounds. The EPSS score has remained flat at 0.1364 with no material increase since publication.

EU & UK References

Vulnerability details

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a vulnerability can be exploited to manipulate routers by passing malicious shell commands through the s2s API.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Shell injection via s2s API enables remote command execution on network device CLI (T1059.008) and exploitation of remote services (T1210).

Affected Assets

gl-inet
mt6000 firmware
4.5.8
gl-inet
a1300 firmware
4.5.16
gl-inet
x300b firmware
4.5.16
gl-inet
ax1800 firmware
4.5.16
gl-inet
axt1800 firmware
4.5.16
gl-inet
mt2500 firmware
4.5.16
gl-inet
mt3000 firmware
4.5.16
gl-inet
x3000 firmware
4.4.8
gl-inet
xe3000 firmware
4.4.8
gl-inet
xe300 firmware
4.3.16
+18 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References