CVE-2024-39227: GL-iNet MT6000 Firmware RCE Vulnerability

CVE-2024-39227 Overview

CVE-2024-39227 is an insecure permissions vulnerability affecting a broad range of GL-iNet router firmware versions. The flaw exists in the /cgi-bin/glc endpoint, which fails to enforce authentication before processing client-supplied JSON data. Unauthenticated attackers reachable over the network can send crafted JSON requests to execute arbitrary code or trigger directory traversal on affected devices. The vulnerability is categorized under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and [CWE-75] (Failure to Sanitize Special Elements). Affected models include the AR750, AR750S, AR300M, MT300N-V2, B1300, MT1300, SFT1200, X750, MT3000, AXT1800, AX1800, A1300, X300B, XE300, E750, AP1300, S1300, XE3000, and X3000.

Critical Impact

Unauthenticated remote attackers can execute arbitrary code on affected GL-iNet routers by sending crafted JSON to /cgi-bin/glc, leading to full device compromise.

Affected Products

• GL-iNet AR750, AR750S, AR300M, AR300M16, MT300N-V2, B1300, MT1300, SFT1200, X750 firmware v4.3.11
• GL-iNet MT3000, MT2500, AXT1800, AX1800, A1300, X300B firmware v4.5.16; XE300 v4.3.16; E750 v4.3.12; AP1300/S1300 v4.3.13
• GL-iNet XE3000/X3000 firmware v4.4 and MT6000 firmware v4.5.8

Discovery Timeline

• 2024-08-06 - CVE-2024-39227 published to NVD
• 2024-08-15 - Last updated in NVD database

Technical Details for CVE-2024-39227

Vulnerability Analysis

The vulnerability resides in the /cgi-bin/glc HTTP endpoint exposed by the GL-iNet web management interface. This endpoint accepts JSON request bodies that are passed to an underlying C library responsible for executing internal device operations. The endpoint does not validate session state or authentication tokens before dispatching the JSON payload. As a result, any network-reachable attacker can submit requests that trigger internal functions normally reserved for authenticated administrators.

Because the endpoint forwards attacker-controlled fields into command-handling logic, malicious JSON can drive the device into executing arbitrary system commands. The same input handling exposes path-controlled operations that an attacker can manipulate to read or write files outside the intended directory scope. The combined impact is unauthenticated remote code execution and arbitrary file access on the router.

Root Cause

The root cause is missing authentication and improper input neutralization on the /cgi-bin/glc interface. The endpoint provides direct access to internal C library routines without enforcing a login check. Combined with insufficient sanitization of JSON fields used in command construction and file path resolution, this design allows injection of special elements that downstream components interpret as commands or traversal sequences.

Attack Vector

Exploitation requires only network access to the router's management interface. An attacker sends a single HTTP POST request containing a crafted JSON document to /cgi-bin/glc. No credentials, user interaction, or prior foothold are required. Devices exposing the management interface to untrusted networks, including LAN segments shared with guest users or any WAN-facing deployment, are directly exposed.

No verified public proof-of-concept code is available. Technical details are documented in the vendor's CVE issue tracker. See the GitHub CVE-Access Issue Report for additional information on the unauthenticated access path.

Detection Methods for CVE-2024-39227

Indicators of Compromise

• HTTP POST requests to /cgi-bin/glc from unauthenticated sources or unexpected IP addresses
• JSON payloads to /cgi-bin/glc containing shell metacharacters, command separators, or path traversal sequences such as ../
• Unexpected outbound connections initiated by the router shortly after requests to /cgi-bin/glc
• Unauthorized changes to router configuration files, firewall rules, or DNS settings

Detection Strategies

• Inspect web server and reverse proxy logs for requests to /cgi-bin/glc that arrive without a valid authenticated session cookie
• Deploy network IDS signatures that flag JSON bodies containing command injection or directory traversal patterns aimed at the glc endpoint
• Correlate management interface requests with subsequent process spawns or file modifications on the device

Monitoring Recommendations

• Forward router syslog and HTTP access logs to a centralized logging platform for retention and correlation
• Alert on any administrative configuration change that does not follow a successful login event
• Monitor for new or unexpected listening services and outbound C2-style traffic from router IP addresses

How to Mitigate CVE-2024-39227

Immediate Actions Required

• Restrict access to the router management interface so that /cgi-bin/glc is not reachable from the WAN or untrusted LAN segments
• Upgrade affected GL-iNet devices to firmware versions released after the listed vulnerable builds as published by the vendor
• Audit configuration, accounts, and firewall rules on potentially exposed devices for signs of unauthorized modification

Patch Information

GL-iNet tracks this issue in its public CVE issue repository. Refer to the GitHub CVE-Access Issue Report and the vendor download portal for the corresponding firmware release that addresses authentication on the /cgi-bin/glc endpoint. Apply the latest available firmware for each affected model listed above.

Workarounds

• Block inbound access to TCP ports hosting the router web interface from the WAN using upstream firewall rules
• Place affected devices on isolated management VLANs accessible only from trusted administrator hosts
• Disable remote administration features on the router until firmware updates are applied

# Example: restrict management interface to a trusted admin host via iptables
iptables -A INPUT -p tcp --dport 80 -s 192.0.2.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.0.2.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP