CVE-2024-45261

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45261
An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The SID generated for a specific user is not tied to that user itself, which allows other users to potentially use it for authentication. Once an attacker bypasses the application's authentication procedures, they can generate a valid SID, escalate privileges, and gain full control.

8.0 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Bypassing%20Login%20Mechanism%20with%20Passwordless%20User%20Login.md Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:gl-inet:mt2500_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt2500:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:gl-inet:axt1800_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:axt1800:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:gl-inet:ax1800_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ax1800:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:gl-inet:b3000_firmware:4.5.18:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:b3000:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:gl-inet:a1300_firmware:4.5.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:a1300:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:gl-inet:x300b_firmware:4.5.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x300b:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:gl-inet:x3000_firmware:4.4.9:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x3000:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:gl-inet:xe3000_firmware:4.4.9:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:xe3000:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:gl-inet:x750_firmware:4.3.18:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x750:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:gl-inet:sft1200_firmware:4.3.18:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:sft1200:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:gl-inet:mt1300_firmware:4.3.18:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt1300:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:gl-inet:e750_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:e750:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:gl-inet:xe300_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:xe300:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:gl-inet:ar750_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar750:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND
cpe:2.3:o:gl-inet:ar750s_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar750s:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND
cpe:2.3:o:gl-inet:ar300m_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar300m:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND
cpe:2.3:o:gl-inet:mt300n-v2_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt300n-v2:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND
cpe:2.3:o:gl-inet:mt3000_firmware:4.6.2:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-mt3000:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND
cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND
cpe:2.3:o:gl-inet:mt6000_firmware:4.6.2:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt6000:-:*:*:*:*:*:*:*

Configuration 21 (hide)

AND
cpe:2.3:o:gl-inet:b1300_firmware:4.3.17:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:b1300:-:*:*:*:*:*:*:*
History

No history.

Information

Published : 2024-10-24 21:15

Updated : 2025-10-15 17:54

NVD link : CVE-2024-45261

Mitre link : CVE-2024-45261

CVE.ORG link : CVE-2024-45261

JSON object : View

Products Affected

gl-inet

  • x750
  • mt300n-v2_firmware
  • x300b_firmware
  • mt300n-v2
  • axt1800
  • xe3000
  • ar300m16_firmware
  • ar300m16
  • x750_firmware
  • x3000
  • xe300_firmware
  • xe300
  • ar300m_firmware
  • x3000_firmware
  • ar750s_firmware
  • sft1200
  • a1300_firmware
  • e750_firmware
  • mt6000_firmware
  • mt1300
  • ar300m
  • ax1800_firmware
  • mt1300_firmware
  • ax1800
  • b3000_firmware
  • b1300_firmware
  • axt1800_firmware
  • x300b
  • ar750s
  • gl-mt3000
  • mt2500
  • mt6000
  • xe3000_firmware
  • mt2500_firmware
  • b3000
  • e750
  • mt3000_firmware
  • ar750
  • b1300
  • sft1200_firmware
  • ar750_firmware
  • a1300
CWE
CWE-863

Incorrect Authorization