CVE-2023-50922 is a high-severity vulnerability affecting multiple GL.iNet router devices running firmware versions up to 4.5.0. The vulnerability arises from improper handling of uploaded files by the device's administrative interface. Specifically, if an attacker can obtain the AdminToken cookie—used for authenticating administrative sessions—they can upload a specially crafted file formatted as a crontab entry to a designated directory on the device. Because the system processes crontab files to schedule tasks, this malicious file will be executed by the system's cron daemon, allowing the attacker to execute arbitrary code with elevated privileges. This vulnerability affects a broad range of GL.iNet models, including A1300, AX1800, AXT1800, MT3000, MT2500, MT6000, MT1300, MT300N-V2, AR750S, AR750, AR300M, and B1300, across various firmware versions primarily in the 4.x series. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating that the device fails to properly restrict or sanitize uploaded files. The CVSS v3.1 base score is 7.2, reflecting a high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and requiring high privileges (possession of AdminToken cookie). No user interaction is needed once the token is obtained. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the potential for remote code execution on network infrastructure devices. The lack of available patches at the time of reporting further increases the urgency for mitigation.

For European organizations, this vulnerability presents a critical risk to network security and operational continuity. GL.iNet devices are commonly used as routers and access points in small to medium enterprises and possibly in branch offices due to their cost-effectiveness and feature set. Successful exploitation could lead to full compromise of the affected device, allowing attackers to execute arbitrary commands, potentially pivot within the network, intercept or manipulate network traffic, and disrupt services. The compromise of router devices can undermine the confidentiality of sensitive communications, integrity of network configurations, and availability of network connectivity. This is particularly concerning for organizations handling sensitive data under GDPR regulations, as unauthorized access or data interception could lead to compliance violations and financial penalties. Furthermore, the ability to schedule arbitrary tasks via cron could allow persistent backdoors or lateral movement within corporate networks. The requirement to obtain the AdminToken cookie implies that attackers must first breach or phish administrative credentials or session tokens, which may be feasible through social engineering or other vulnerabilities. Given the widespread use of GL.iNet devices in Europe, especially in small offices and remote work environments, the threat could impact a broad range of sectors including finance, healthcare, and government agencies.

1. Immediate mitigation should focus on securing administrative access to GL.iNet devices. This includes enforcing strong, unique passwords for administrative accounts and implementing multi-factor authentication if supported. 2. Network segmentation should be employed to isolate management interfaces from general user networks and the internet, reducing the risk of token theft. 3. Monitor network traffic and device logs for unusual file uploads or crontab modifications, which may indicate exploitation attempts. 4. Restrict access to the device's administrative interface to trusted IP addresses or VPN connections. 5. Regularly update device firmware as soon as GL.iNet releases patches addressing this vulnerability; maintain close communication with the vendor for updates. 6. Employ endpoint detection and response (EDR) solutions to detect anomalous processes or scheduled tasks on network devices. 7. Educate administrators about phishing and session hijacking risks to prevent AdminToken theft. 8. If patching is not immediately possible, consider temporary replacement of affected devices with models not vulnerable or alternative vendors. 9. Conduct penetration testing and vulnerability assessments focusing on router devices to identify potential compromise. These steps go beyond generic advice by emphasizing administrative access protection, network architecture adjustments, and proactive monitoring specific to the nature of this vulnerability.