A critical command injection vulnerability in GL-iNet GL-AR300M16 routers allows attackers to execute arbitrary commands and gain full control over the device.

The set_config function in the router's firmware fails to properly sanitize user input, leading to a command injection vulnerability. An attacker can provide crafted input to execute arbitrary system commands on the router.

A successful exploit grants the attacker full administrative control over the router. With a CVSS score of 9.8, this allows for persistent network monitoring, traffic redirection, and a foothold for lateral movement within the local network. This is particularly dangerous for remote offices or small businesses relying on these devices for secure connectivity.

Immediate Action: Update the GL-iNet firmware to the latest available version that includes a fix for the set_config function.

Proactive Monitoring: Monitor the router for unauthorized configuration changes or unusual outbound traffic that might indicate a compromised device.

Compensating Controls: Disable remote management interfaces and ensure that access to the router's web interface is restricted to trusted local devices only.

Public Exploit Available: No

It is critical to update the firmware on all affected GL-iNet devices immediately. Given the role of routers in network security, a compromise at this level can undermine all other security controls within the environment.