CVE-2025-25684
📋 TL;DR
This path traversal vulnerability in GL-INet Beryl AX GL-MT3000 routers allows attackers to download arbitrary files from the device's file system by sending a specially crafted POST request to the /download endpoint. Attackers can potentially access sensitive configuration files, credentials, or system files. All users running the vulnerable firmware version are affected.
💻 Affected Systems
- GL-INet Beryl AX GL-MT3000
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full access to device file system including configuration files, SSH keys, passwords, and can potentially pivot to internal network or modify device firmware.
Likely Case
Attackers download configuration files containing Wi-Fi passwords, admin credentials, VPN configurations, and other sensitive router data.
If Mitigated
With proper network segmentation and firewall rules, impact is limited to router compromise without lateral movement to other systems.
🎯 Exploit Status
Exploitation requires crafting a POST request with path traversal sequences. No authentication bypass is mentioned in the reference.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.7.1 or later
Vendor Advisory: https://www.gl-inet.com/security/
Restart Required: No
Instructions:
1. Log into router admin interface. 2. Navigate to System > Upgrade. 3. Check for firmware updates. 4. Download and install v4.7.1 or later. 5. Verify successful update.
🔧 Temporary Workarounds
Disable web admin interface
allTemporarily disable the web administration interface to prevent exploitation
ssh admin@router-ip
uci set glconfig.remote.enable=0
uci commit glconfig
/etc/init.d/glconfig restart
Restrict admin interface access
allLimit web admin interface access to specific IP addresses only
ssh admin@router-ip
uci set firewall.@zone[1].input='REJECT'
uci add firewall rule
uci set firewall.@rule[-1].src='trusted_ip'
uci set firewall.@rule[-1].dest_port='80,443'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
/etc/init.d/firewall restart
🧯 If You Can't Patch
- Implement strict firewall rules to block external access to router admin interface (ports 80/443)
- Monitor router logs for suspicious download attempts and path traversal patterns
🔍 How to Verify
Check if Vulnerable:
Check current firmware version via web interface (System > Status) or SSH command: cat /etc/glversionCheck Version:
cat /etc/glversionVerify Fix Applied:
Verify firmware version is v4.7.1 or later. Test /download endpoint with path traversal attempts should return error.📡 Detection & Monitoring
Log Indicators:
- POST requests to /download containing '../' sequences
- Unusual file access patterns in system logs
- Multiple failed download attempts
Network Indicators:
- Unusual POST requests to router IP on port 80/443 with path traversal patterns
- Traffic spikes to /download endpoint
SIEM Query:
source="router_logs" AND (url_path="/download" AND (request_body CONTAINS "../" OR request_body CONTAINS "..\\"))