CVE-2024-45262

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45262
An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The params parameter in the call method of the /rpc endpoint is vulnerable to arbitrary directory traversal, which enables attackers to execute scripts under any path.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Improper%20Pathname%20Restriction%20Leading%20to%20Path%20Traversal%20in%20Restricted%20Directories.md Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:gl-inet:mt2500_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt2500:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:gl-inet:axt1800_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:axt1800:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:gl-inet:ax1800_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ax1800:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:gl-inet:b3000_firmware:4.5.18:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:b3000:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:gl-inet:a1300_firmware:4.5.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:a1300:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:gl-inet:x300b_firmware:4.5.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x300b:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:gl-inet:x3000_firmware:4.4.9:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x3000:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:gl-inet:xe3000_firmware:4.4.9:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:xe3000:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:gl-inet:x750_firmware:4.3.18:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x750:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:gl-inet:sft1200_firmware:4.3.18:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:sft1200:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:gl-inet:mt1300_firmware:4.3.18:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt1300:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:gl-inet:e750_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:e750:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:gl-inet:xe300_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:xe300:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:gl-inet:ar750_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar750:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND
cpe:2.3:o:gl-inet:ar750s_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar750s:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND
cpe:2.3:o:gl-inet:ar300m_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar300m:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND
cpe:2.3:o:gl-inet:mt300n-v2_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt300n-v2:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND
cpe:2.3:o:gl-inet:mt6000_firmware:4.6.2:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt6000:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND
cpe:2.3:o:gl-inet:b1300_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:b1300:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND
cpe:2.3:o:gl-inet:mt3000_firmware:4.6.2:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-mt3000:-:*:*:*:*:*:*:*

Configuration 21 (hide)

AND
cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*
History

15 Oct 2025, 17:54

Type Values Removed Values Added
CPE cpe:2.3:h:gl-inet:ar750s:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:mt6000_firmware:4.6.2:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:xe300_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:a1300_firmware:4.5.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt2500:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:e750_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:b3000:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:mt3000_firmware:4.6.2:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt6000:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:ar750s_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:ax1800_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:mt2500_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:x300b_firmware:4.5.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar750:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ax1800:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:axt1800_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-mt3000:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:axt1800:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:xe3000:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:e750:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:xe3000_firmware:4.4.9:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar300m:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:a1300:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x750:-:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x300b:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:x750_firmware:4.3.18:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:xe300:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:ar300m_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:b1300:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:b3000_firmware:4.5.18:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt300n-v2:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:mt300n-v2_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:b1300_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:ar750_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:sft1200:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:sft1200_firmware:4.3.18:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt1300:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:mt1300_firmware:4.3.18:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:x3000_firmware:4.4.9:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x3000:-:*:*:*:*:*:*:*
References () https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Improper%20Pathname%20Restriction%20Leading%20to%20Path%20Traversal%20in%20Restricted%20Directories.md - () https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Improper%20Pathname%20Restriction%20Leading%20to%20Path%20Traversal%20in%20Restricted%20Directories.md - Exploit, Third Party Advisory
First Time Gl-inet xe3000 Firmware
Gl-inet x300b
Gl-inet mt2500 Firmware
Gl-inet x750 Firmware
Gl-inet ar300m Firmware
Gl-inet ar750
Gl-inet a1300 Firmware
Gl-inet ar750s Firmware
Gl-inet ar300m16 Firmware
Gl-inet x3000 Firmware
Gl-inet mt6000 Firmware
Gl-inet ax1800
Gl-inet b1300
Gl-inet xe300
Gl-inet mt3000 Firmware
Gl-inet b3000
Gl-inet x750
Gl-inet xe300 Firmware
Gl-inet mt6000
Gl-inet sft1200
Gl-inet ar750s
Gl-inet sft1200 Firmware
Gl-inet axt1800
Gl-inet e750 Firmware
Gl-inet xe3000
Gl-inet mt2500
Gl-inet x300b Firmware
Gl-inet ar300m16
Gl-inet
Gl-inet ax1800 Firmware
Gl-inet ar300m
Gl-inet mt300n-v2
Gl-inet gl-mt3000
Gl-inet mt300n-v2 Firmware
Gl-inet mt1300
Gl-inet b3000 Firmware
Gl-inet axt1800 Firmware
Gl-inet e750
Gl-inet x3000
Gl-inet ar750 Firmware
Gl-inet a1300
Gl-inet b1300 Firmware
Gl-inet mt1300 Firmware
Information

Published : 2024-10-24 21:15

Updated : 2025-10-15 17:54

NVD link : CVE-2024-45262

Mitre link : CVE-2024-45262

CVE.ORG link : CVE-2024-45262

JSON object : View

Products Affected

gl-inet

  • mt2500_firmware
  • axt1800_firmware
  • sft1200
  • xe300
  • mt6000_firmware
  • b1300_firmware
  • mt2500
  • ar300m
  • ar300m16
  • a1300_firmware
  • mt3000_firmware
  • x3000_firmware
  • ar750
  • xe300_firmware
  • ar300m16_firmware
  • e750
  • mt1300
  • x750
  • xe3000_firmware
  • a1300
  • x300b
  • ax1800_firmware
  • ar750s
  • b3000
  • ax1800
  • mt6000
  • ar750s_firmware
  • x750_firmware
  • axt1800
  • e750_firmware
  • gl-mt3000
  • x300b_firmware
  • b1300
  • xe3000
  • x3000
  • ar300m_firmware
  • mt1300_firmware
  • ar750_firmware
  • mt300n-v2
  • sft1200_firmware
  • b3000_firmware
  • mt300n-v2_firmware
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')