|
[Japanese]
|
JVNDB-2025-004671
|
Multiple vulnerabilities in GL-MT2500 and GL-MT2500A
|
|
GL-MT2500 and GL-MT2500A provided by GL.iNet contains multiple vulnerabilities listed below.
- OS command injection (CWE-78) - CVE-2024-57391
- Inefficient regular expression complexity (CWE-1333) - CVE-2025-2811
Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
|
|
CVSS V3 Severity:
Base Metrics 7.5 (High) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-2811
|
CVSS V3 Severity:
Base Metrics7.2 (High) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-57391
|
|
|
GL.iNet
- GL-MT2500 firmware versions prior to 4.7.0
- GL-MT2500A firmware versions prior to 4.7.0
|
|
|
- A user who logs in to the web interface with the administrative privilege may send a crafted HTTP request and execute an arbitrary OS command on the affected device (CVE-2024-57391)
- A non-authenticated attacker may send a crafted HTTP request and cause a denial of service (DoS) condition (CVE-2025-2811)
|
|
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
|
|
GL.iNet
|
|
- Inefficient Regular Expression Complexity(CWE-1333) [Other]
- OS Command Injection(CWE-78) [Other]
|
|
- CVE-2024-57391
- CVE-2025-2811
|
|
- JVN : JVNVU#93247159
|
|
- [2025/05/12]
Web page was published
|
