GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the string port parameter in the enable_echo_server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.
The vulnerability occurs in the enable_echo_server function, which improperly processes the 'port' parameter passed as a string. An attacker can provide crafted input containing malicious system commands that will be executed by the device. The lack of proper input validation and sanitization allows injection and execution of arbitrary code at the operating system level.
An attacker can gain full control over the device by executing arbitrary system commands, which may lead to breach of confidentiality, integrity, and availability of the system.
Apply patches available from the manufacturer according to the references. Until an update is applied, consider restricting access to the device management interface at the network level and isolating the device from untrusted network segments.
GL-iNet GL-AR300M16 with firmware version 4.3.11
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGl Inet Ar300m16
HWGl-Inetwszystkie wersjeGl Inet Ar300m16 Firmware
OSGl-Inet4.3.11
Related vulnerabilities
Command injection w GL-iNet GL-AR300M16 via parametr module
Command injection w GL-iNet GL-AR300M16 via set_config
Command injection w GL-iNet GL-AR300M16 — funkcja set_upgrade
RCE w firmware GL-iNet — obejście mechanizmu logowania
GL-iNet: RCE i path traversal w /cgi-bin/glc bez uwierzytelnienia