CVE-2024-45263 [High] | File Upload / RCE in Mt6000 Firmware

An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The upload interface allows the uploading of arbitrary files to the device. Once the device executes the files, it can lead to information leakage, enabling complete control.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-05-30	0.04%	0.05%	+0.01%
2	2025-04-15	0.06%	0.04%	-0.01%
3	2025-04-03	—	0.06%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-05-30

0.04%

0.05%

+0.01%

2025-04-15

0.06%

0.04%

-0.01%

2025-04-03

—

0.06%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
8.8	3.1	HIGH	`CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:A) Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

8.8

3.1

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:A): Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.8

5.9

134c704f-9b21-4f2e-91b3-4a467353bcc0

Affected software / configurations for CVE-2024-45263

Vendor	Product	Version	Raw CPE
gl-inet	mt6000_firmware	4.6.2	cpe:2.3:o:gl-inet:mt6000_firmware:4.6.2:::::::*
gl-inet	mt3000_firmware	>= 4.6.2, < 4.6.4	cpe:2.3:o:gl-inet:mt3000_firmware::::::::
gl-inet	mt2500_firmware	>= 4.6.2, < 4.6.4	cpe:2.3:o:gl-inet:mt2500_firmware::::::::
gl-inet	axt1800_firmware	>= 4.6.2, < 4.6.4	cpe:2.3:o:gl-inet:axt1800_firmware::::::::
gl-inet	ax1800_firmware	>= 4.6.2, < 4.6.4	cpe:2.3:o:gl-inet:ax1800_firmware::::::::
gl-inet	b3000_firmware	4.5.18	cpe:2.3:o:gl-inet:b3000_firmware:4.5.18:::::::*
gl-inet	a1300_firmware	4.5.17	cpe:2.3:o:gl-inet:a1300_firmware:4.5.17:::::::*
gl-inet	x300b_firmware	4.5.17	cpe:2.3:o:gl-inet:x300b_firmware:4.5.17:::::::*
gl-inet	x3000_firmware	4.4.9	cpe:2.3:o:gl-inet:x3000_firmware:4.4.9:::::::*
gl-inet	xe3000_firmware	4.4.9	cpe:2.3:o:gl-inet:xe3000_firmware:4.4.9:::::::*
gl-inet	x750_firmware	4.3.18	cpe:2.3:o:gl-inet:x750_firmware:4.3.18:::::::*
gl-inet	sft1200_firmware	4.3.18	cpe:2.3:o:gl-inet:sft1200_firmware:4.3.18:::::::*
gl-inet	mt1300_firmware	4.3.18	cpe:2.3:o:gl-inet:mt1300_firmware:4.3.18:::::::*
gl-inet	e750_firmware	4.3.17	cpe:2.3:o:gl-inet:e750_firmware:4.3.17:::::::*
gl-inet	xe300_firmware	4.3.17	cpe:2.3:o:gl-inet:xe300_firmware:4.3.17:::::::*
gl-inet	ar750_firmware	4.3.17	cpe:2.3:o:gl-inet:ar750_firmware:4.3.17:::::::*
gl-inet	ar750s_firmware	4.3.17	cpe:2.3:o:gl-inet:ar750s_firmware:4.3.17:::::::*
gl-inet	ar300m_firmware	4.3.17	cpe:2.3:o:gl-inet:ar300m_firmware:4.3.17:::::::*
gl-inet	ar300m16_firmware	4.3.17	cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.17:::::::*
gl-inet	b1300_firmware	4.3.17	cpe:2.3:o:gl-inet:b1300_firmware:4.3.17:::::::*
gl-inet	mt300n-v2_firmware	4.3.17	cpe:2.3:o:gl-inet:mt300n-v2_firmware:4.3.17:::::::*

References for CVE-2024-45263

URL	Tags
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Arbitrary%20File%20Upload%20to%20ovpn_upload%20via%20Upload%20Interface.md	Issue Tracking Third Party Advisory

URL

CVE-2024-45263

Exploit prediction scoring system (EPSS) score for CVE-2024-45263

Common vulnerability scoring system (CVSS) metrics for CVE-2024-45263

Weakness enumeration for CVE-2024-45263

Affected software / configurations for CVE-2024-45263

References for CVE-2024-45263