Description
Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-MT2500 GL-AXT1800 GL-X3000 and GL-SFT1200.
Published: 2026-05-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to bypass authentication on certain GL.iNet routers by submitting a specially crafted username that is both a syntactically valid SQL statement and a regular expression. The resulting authentication bypass grants full administrative access, enabling the attacker to alter device configuration, install malware, or disrupt network services. The weakness is a direct exploitation of improper input validation and authorization checks, putting the confidentiality, integrity, and availability of the network infrastructure at risk.

Affected Systems

Affected devices are GL.iNet routers running the 4.x firmware series, specifically models GL-MT3000, GL-AR300M, GL-B1300, GL-AX1800, GL-AR750S, GL-MT2500, GL-AXT1800, GL-X3000, and GL-SFT1200. The vulnerability has been confirmed for firmware version 4.3.7; other 4.x releases are likely affected but not explicitly confirmed in the available data.

Risk and Exploitability

The CVSS score is not supplied, and no EPSS value is available, but the remote nature of the authentication bypass and the direct acquisition of administrative control indicate a high severity risk. The attack vector is inferred to be local network or remote management interfaces, where an attacker can send the crafted username to the login endpoint. Since the vulnerability is not listed in the CISA KEV catalog, there is no evidence of widespread exploitation yet, but the potential for targeted attacks remains significant.

Generated by OpenCVE AI on May 8, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from GL.iNet that resolves the username injection flaw to eliminate the authentication bypass. This is the highest priority action, as it directly removes the vulnerability.
  • If a firmware upgrade cannot be performed immediately, isolate the device by disabling remote management services and restricting access to the router’s web interface to trusted local clients only. This reduces the attack surface exposed to potential attackers.
  • Implement strict account controls on the router: enforce strong, unique passwords for all user accounts, and consider disabling default or unused accounts. Monitor management logs for suspicious login attempts.

Generated by OpenCVE AI on May 8, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.exploit-db.com/exploits/51865 cve-icon cve-icon
History

Fri, 08 May 2026 08:30:00 +0000

Type Values Removed Values Added
Title Authentication Bypass via SQL Injection in GL.iNet 4.x Firmware Devices
Weaknesses CWE-284
CWE-89

Fri, 08 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-MT2500 GL-AXT1800 GL-X3000 and GL-SFT1200.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T06:19:11.467Z

Reserved: 2023-10-23T00:00:00.000Z

Link: CVE-2023-46453

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T07:16:27.850

Modified: 2026-05-08T07:16:27.850

Link: CVE-2023-46453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T08:30:04Z

Weaknesses