CVE-2024-45262

Name of the Vulnerable Software and Affected Versions GL-iNet MT6000 version 4.6.2 GL-iNet MT3000 version 4.6.2 GL-iNet MT2500 version 4.6.2 GL-iNet AXT1800 version 4.6.2 GL-iNet AX1800 version 4.6.2

Description An issue was discovered on certain GL-iNet devices. The params parameter in the call method of the "/rpc" endpoint is vulnerable to arbitrary directory traversal, which enables attackers to execute scripts under any path.

Recommendations For GL-iNet MT6000 version 4.6.2, consider disabling the /rpc endpoint until a patch is available. For GL-iNet MT3000 version 4.6.2, restrict access to the params parameter in the call method to minimize the risk of exploitation. For GL-iNet MT2500 version 4.6.2, avoid using the params parameter in the /rpc endpoint until the issue is resolved. For GL-iNet AXT1800 version 4.6.2, consider implementing additional security measures to prevent arbitrary directory traversal. For GL-iNet AX1800 version 4.6.2, restrict access to sensitive paths to prevent script execution.