CVE-2024-39229

An issue in GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, XE3000/X3000 v4, and B2200/MV1000/MV1000W/USB150/N300/SF1200 v3.216 allows attackers to intercept communications via a man-in-the-middle attack when DDNS clients are reporting data to the server.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
VendorProductVersion
gl-inetmt6000_firmware
4.5.8
gl-ineta1300_firmware
4.5.16
gl-inetx300b_firmware
4.5.16
gl-inetax1800_firmware
4.5.16
gl-inetaxt1800_firmware
4.5.16
gl-inetmt2500_firmware
4.5.16
gl-inetmt3000_firmware
4.5.16
gl-inetx3000_firmware
4.4.8
gl-inetxe3000_firmware
4.4.8
gl-inetxe300_firmware
4.3.16
gl-inete750_firmware
4.3.12
gl-inetx750_firmware
4.3.11
gl-inetsft1200_firmware
4.3.11
gl-inetar300m_firmware
4.3.11
gl-inetar300m16_firmware
4.3.11
gl-inetar750_firmware
4.3.11
gl-inetar750s_firmware
4.3.11
gl-inetb1300_firmware
4.3.11
gl-inetmt1300_firmware
4.3.11
gl-inetmt300n-v2_firmware
4.3.11
gl-inetap1300_firmware
3.217
gl-inetb2200_firmware
3.216
gl-inetmv1000_firmware
3.216
gl-inetmv1000w_firmware
3.216
gl-inetusb150_firmware
3.216
gl-inetsf1200_firmware
3.216
gl-inetn300_firmware
3.216
gl-inets1300_firmware
3.216
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/DDNS%20data%20is%20not%20encrypted.md