CVE-2024-28077

A denial-of-service issue was discovered on certain GL-iNet devices. Some websites can detect devices exposed to the external network through DDNS, and consequently obtain the IP addresses and ports of devices that are exposed. By using special usernames and special characters (such as half parentheses or square brackets), one can call the login interface and cause the session-management program to crash, resulting in customers being unable to log into their devices. This affects MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10, and XE300 4.3.16.

Published: 2024-08-26 Last update: 2025-03-14 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2024-28077 is rated Moderate Risk (41.2/100): CVSS High severity, with low exploitation likelihood (EPSS 0.13%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2024-28077

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-04-22 0.17% 0.13% -0.04%
2 2025-11-21 0.27% 0.17% -0.11%
3 2025-11-18 0.27%

Full EPSS history (8 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2024-28077

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 3.6 [email protected]
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 3.6 134c704f-9b21-4f2e-91b3-4a467353bcc0

Weakness enumeration for CVE-2024-28077

Affected software / configurations for CVE-2024-28077

Vendor Product Version Raw CPE
gl-inet mt6000_firmware 4.5.6 cpe:2.3:o:gl-inet:mt6000_firmware:4.5.6:*:*:*:*:*:*:*
gl-inet x3000_firmware 4.4.6 cpe:2.3:o:gl-inet:x3000_firmware:4.4.6:*:*:*:*:*:*:*
gl-inet xe3000_firmware 4.4.4 cpe:2.3:o:gl-inet:xe3000_firmware:4.4.4:*:*:*:*:*:*:*
gl-inet a1300_firmware 4.5.0 cpe:2.3:o:gl-inet:a1300_firmware:4.5.0:*:*:*:*:*:*:*
gl-inet ax1800_firmware 4.5.0 cpe:2.3:o:gl-inet:ax1800_firmware:4.5.0:*:*:*:*:*:*:*
gl-inet axt1800_firmware 4.5.0 cpe:2.3:o:gl-inet:axt1800_firmware:4.5.0:*:*:*:*:*:*:*
gl-inet mt2500_firmware 4.5.0 cpe:2.3:o:gl-inet:mt2500_firmware:4.5.0:*:*:*:*:*:*:*
gl-inet mt3000_firmware 4.5.0 cpe:2.3:o:gl-inet:mt3000_firmware:4.5.0:*:*:*:*:*:*:*
gl-inet xe300_firmware 4.3.16 cpe:2.3:o:gl-inet:xe300_firmware:4.3.16:*:*:*:*:*:*:*
gl-inet x750_firmware 4.3.7 cpe:2.3:o:gl-inet:x750_firmware:4.3.7:*:*:*:*:*:*:*
gl-inet sft1200_firmware 4.3.7 cpe:2.3:o:gl-inet:sft1200_firmware:4.3.7:*:*:*:*:*:*:*
gl-inet ar300m_firmware 4.3.10 cpe:2.3:o:gl-inet:ar300m_firmware:4.3.10:*:*:*:*:*:*:*
gl-inet ar300m16_firmware 4.3.10 cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.10:*:*:*:*:*:*:*
gl-inet ar750_firmware 4.3.10 cpe:2.3:o:gl-inet:ar750_firmware:4.3.10:*:*:*:*:*:*:*
gl-inet ar750s_firmware 4.3.10 cpe:2.3:o:gl-inet:ar750s_firmware:4.3.10:*:*:*:*:*:*:*
gl-inet b1300_firmware 4.3.10 cpe:2.3:o:gl-inet:b1300_firmware:4.3.10:*:*:*:*:*:*:*
gl-inet mt1300_firmware 4.3.10 cpe:2.3:o:gl-inet:mt1300_firmware:4.3.10:*:*:*:*:*:*:*
gl-inet mt300n-v2_firmware 4.3.10 cpe:2.3:o:gl-inet:mt300n-v2_firmware:4.3.10:*:*:*:*:*:*:*

References for CVE-2024-28077

cvelogic Threat Intelligence