CVE-2024-39225

Name of the Vulnerable Software and Affected Versions GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 version 4.3.11 GL-iNet products MT3000/MT2500/AXT1800/AX1800/A1300/X300B version 4.5.16 GL-iNet products XE300 version 4.3.16 GL-iNet products E750 version 4.3.12 GL-iNet products AP1300/S1300 version 4.3.13 GL-iNet products XE3000/X3000 version 4.4

Description A remote code execution vulnerability was discovered in GL-iNet products. The issue is related to the insecure use of srand with time, which could allow an attacker to brute force the session id for a logged-in admin.

Recommendations For version 4.3.11, update to a newer version to mitigate the risk. For version 4.5.16, update to a newer version to mitigate the risk. For version 4.3.16, update to a newer version to mitigate the risk. For version 4.3.12, update to a newer version to mitigate the risk. For version 4.3.13, update to a newer version to mitigate the risk. For version 4.4, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the admin session to minimize the risk of exploitation.