CVE-2023-46453
Authentication Bypass in GL.iNet Devices via SQL Regex Username
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gl.inet | firmware | 4.3.7 |
| gl.inet | firmware | From 4.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-46453 is a remote authentication bypass vulnerability affecting certain GL.iNet routers running firmware version 4.x, including version 4.3.7. The flaw exists in the router's authentication process, specifically in the /usr/sbin/gl-ngx-session file that handles login to the web interface.
The vulnerability arises from improper input sanitization of the username field. An attacker can craft a malicious username that is both a valid regular expression and a valid SQL injection payload. This crafted username manipulates the authentication mechanism by exploiting weak username validation, allowing the attacker to bypass authentication and gain administrative control without a valid password.
The attack involves first retrieving a nonce value from a challenge endpoint, then sending the malicious username to bypass authentication. For example, the username 'roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+' is used to manipulate regex matching and SQL queries simultaneously to log in as the root user.
How can this vulnerability impact me? :
This vulnerability allows an attacker to bypass authentication and gain administrative control over affected GL.iNet routers remotely.
With administrative access, the attacker can access sensitive information such as Wi-Fi credentials, modify router settings, intercept or redirect network traffic, and potentially compromise the entire network connected to the router.
This can lead to unauthorized access to private data, network disruption, and further exploitation of connected devices.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to authenticate to the affected GL.iNet router's web interface using a specially crafted username that exploits the authentication bypass flaw.
The detection involves two stages: first, retrieving a nonce value from the router's challenge endpoint, then sending an authentication request with a malicious username that combines a regex pattern and a SQL injection payload.
A known malicious username example is: roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+
To detect this on your system, you can use tools like curl or custom scripts to interact with the router's RPC endpoints, mimicking the exploit steps: first fetch the nonce, then send the crafted authentication request.
For example, a detection command sequence might be:
- 1. Use curl to get the nonce from the challenge endpoint: `curl http://<router-ip>/rpc/challenge`
- 2. Use curl or a script to send an authentication request with the malicious username and the retrieved nonce to the authentication endpoint, observing if access is granted without a valid password.
Automated proof-of-concept exploit scripts are available that perform these steps to verify vulnerability presence.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the affected GL.iNet router firmware to the patched version released on November 8, 2023, which fixes this authentication bypass vulnerability.
If updating firmware is not immediately possible, restrict access to the router's web interface by limiting network exposure, such as disabling remote management or firewalling access to trusted hosts only.
Additionally, monitor router logs and network traffic for suspicious authentication attempts using crafted usernames similar to the known exploit pattern.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to bypass authentication and gain administrative control over affected GL.iNet devices, potentially exposing sensitive data such as Wi-Fi credentials.
Such unauthorized access could lead to violations of data protection regulations like GDPR or HIPAA, as it compromises the confidentiality and integrity of personal or sensitive information managed by the device.
Organizations using vulnerable devices may face compliance risks if this flaw is exploited, as it undermines security controls required by these standards.