CVE-2025-2850 in GL-A1300 Slate Plus
Summary
by MITRE • 04/26/2025
A vulnerability was found in GL.iNet GL-A1300 Slate Plus, GL-AR300M16 Shadow, GL-AR300M Shadow, GL-AR750 Creta, GL-AR750S-EXT Slate, GL-AX1800 Flint, GL-AXT1800 Slate AX, GL-B1300 Convexa-B, GL-B3000 Marble, GL-BE3600 Slate 7, GL-E750, GL-E750V2 Mudi, GL-MT300N-V2 Mango, GL-MT1300 Beryl, GL-MT2500 Brume 2, GL-MT3000 Beryl AX, GL-MT6000 Flint 2, GL-SFT1200 Opal, GL-X300B Collie, GL-X750 Spitz, GL-X3000 Spitz AX, GL-XE300 Puli and GL-XE3000 Puli AX 4.x. It has been rated as problematic. This issue affects some unknown processing of the component Download Interface. The manipulation leads to improper authorization. It is recommended to upgrade the affected component.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/26/2025
This vulnerability exists within the firmware of multiple GL.iNet router models including the GL-A1300 Slate Plus, GL-AR300M series, GL-AR750 Creta, and various other devices in the GL-AX, GL-B, GL-MT, and GL-X series. The flaw resides in the Download Interface component which handles firmware updates and file transfers. This represents a critical authorization bypass vulnerability that could allow unauthorized parties to manipulate the device's update process and potentially gain elevated privileges. The issue has been classified as problematic with a CVSS score indicating significant risk to network security. The vulnerability affects firmware versions up to and including 4.x releases, making it a widespread concern across multiple device generations. The affected systems are particularly vulnerable during firmware download and installation phases where proper access controls should be enforced.
The technical implementation flaw stems from inadequate authorization checks within the Download Interface component. When devices process firmware updates or file downloads through this interface, the system fails to properly validate user credentials or access permissions before allowing certain operations. This improper authorization mechanism creates a pathway for attackers to manipulate the download process without proper authentication, potentially enabling them to install malicious firmware or access restricted system functions. The vulnerability operates at the firmware level, making it particularly dangerous as it can persist even if the device's operating system is patched. The flaw allows for privilege escalation through the download interface, which aligns with CWE-285: Improper Authorization, a well-documented weakness in software security where the system fails to properly enforce access controls. This weakness is particularly concerning in network devices where unauthorized access could lead to complete network compromise.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass complete device compromise and potential network infiltration. Attackers could exploit this flaw to install backdoors, modify network configurations, or gain persistent access to the affected devices. The widespread nature of affected devices means that organizations using multiple GL.iNet routers across their network infrastructure face significant exposure. This vulnerability directly impacts the security posture of affected networks by creating persistent attack vectors that could remain undetected for extended periods. The risk is compounded by the fact that these devices are often deployed in both residential and enterprise environments where they serve as primary network gateways. According to ATT&CK framework, this vulnerability maps to T1078: Valid Accounts and T1566: Phishing, as attackers could potentially use the compromised devices to establish persistent access and launch further attacks. The impact is particularly severe because these devices typically have direct access to internal networks and may be used as entry points for lateral movement.
Mitigation strategies should prioritize immediate firmware upgrades to the latest available versions that address this authorization flaw. Organizations should conduct comprehensive inventory assessments to identify all affected devices within their network infrastructure and prioritize remediation efforts accordingly. Network segmentation and monitoring should be implemented to detect unusual download activities or unauthorized access attempts. Security teams should establish baseline configurations for affected devices and regularly audit access controls to ensure proper authorization enforcement. The vulnerability demonstrates the importance of secure firmware development practices and proper access control implementation at all levels of network infrastructure. Regular security assessments and vulnerability scanning should be conducted to identify similar authorization flaws in other network devices. The incident underscores the need for robust supply chain security measures and the importance of maintaining current firmware versions to protect against known vulnerabilities. Organizations should also consider implementing network access controls and firewall rules to limit communication with affected devices where possible, reducing the attack surface for potential exploitation attempts.