CVE-2024-28077

Name of the Vulnerable Software and Affected Versions GL-iNet MT6000 versions 4.3.10 through 4.5.6 GL-iNet XE3000 version 4.4.5 GL-iNet X3000 version 4.4.6 GL-iNet MT3000 version 4.5.0 GL-iNet MT2500 version 4.5.0 GL-iNet AXT1800 version 4.5.0 GL-iNet AX1800 version 4.5.0 GL-iNet A1300 version 4.5.0 GL-iNet S200 version 4.1.4-0300 GL-iNet X750 version 4.3.7 GL-iNet SFT1200 version 4.3.7 GL-iNet MT1300 version 4.3.10 GL-iNet AR750 version 4.3.10 GL-iNet AR750S version 4.3.10 GL-iNet AR300M version 4.3.10 GL-iNet AR300M16 version 4.3.10 GL-iNet B1300 version 4.3.10 GL-iNet MT300N-V2 version 4.3.10 GL-iNet XE300 version 4.3.16

Description A denial-of-service issue was discovered on certain GL-iNet devices. Some websites can detect devices exposed to the external network through DDNS, and consequently obtain the IP addresses and ports of devices that are exposed. By using special usernames and special characters (such as half parentheses or square brackets), one can call the login interface and cause the session-management program to crash, resulting in customers being unable to log into their devices.

Recommendations For GL-iNet MT6000 versions 4.3.10 through 4.5.6, update to version 4.5.8 to mitigate the risk. For GL-iNet XE3000 version 4.4.5, update to version 4.4.8 to mitigate the risk. For other affected versions, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the login interface to minimize the risk of exploitation.