JVNVU#93247159
Multiple vulnerabilities in GL-MT2500 and GL-MT2500A

Overview

GL-MT2500 and GL-MT2500A provided by GL.iNet contains multiple vulnerabilities.

Products Affected

• GL-MT2500 and GL-MT2500A firmware versions prior to 4.7.0

Description

GL-MT2500 and GL-MT2500A provided by GL.iNet contains multiple vulnerabilities listed below.

• OS command injection (CWE-78)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.6
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
  • CVE-2024-57391
• Inefficient regular expression complexity (CWE-1333)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Base Score 8.7
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base Score 7.5
  • CVE-2025-2811

Impact

• A user who logs in to the web interface with the administrative privilege may send a crafted HTTP request and execute an arbitrary OS command on the affected device (CVE-2024-57391)
• A non-authenticated attacker may send a crafted HTTP request and cause a denial of service (DoS) condition (CVE-2025-2811)

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.