CVE-2025-25685
📋 TL;DR
This vulnerability allows attackers to download arbitrary files from GL-INet Beryl AX GL-MT3000 routers by exploiting symbolic link manipulation on external Samba shares. Attackers can access sensitive system files, configuration data, and potentially credentials. This affects users of GL-INet Beryl AX GL-MT3000 routers with external drives configured as Samba shares.
💻 Affected Systems
- GL-INet Beryl AX GL-MT3000
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of router with access to all files including configuration, credentials, and sensitive system files, potentially leading to network takeover or data exfiltration.
Likely Case
Unauthorized access to sensitive router configuration files, credentials, and system information that could enable further attacks.
If Mitigated
Limited file access restricted to non-critical directories if proper access controls and monitoring are implemented.
🎯 Exploit Status
Requires attacker to have write access to external drive to create symbolic links, then access Samba share to traverse file system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.7.1 or later
Vendor Advisory: https://www.gl-inet.com/security/
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to System > Firmware. 3. Check for updates. 4. If v4.7.1 or later is available, click Upgrade. 5. Wait for router to reboot automatically.
🔧 Temporary Workarounds
Disable Samba shares on external drives
allRemove or disable Samba sharing functionality for external drives
Navigate to Network > Samba in admin interface and disable external drive sharing
Remove external drives
allPhysically disconnect external drives from router
🧯 If You Can't Patch
- Disable Samba sharing completely in router settings
- Implement network segmentation to isolate router from untrusted networks
- Monitor Samba access logs for unusual file access patterns
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin interface under System > Firmware. If version is exactly v4.7.0 and external Samba share is enabled, system is vulnerable.Check Version:
ssh admin@router_ip 'cat /etc/glversion' or check web interfaceVerify Fix Applied:
Verify firmware version is v4.7.1 or later in System > Firmware. Test that Samba share no longer allows traversal via symbolic links.📡 Detection & Monitoring
Log Indicators:
- Unusual Samba file access patterns
- Access to system files via Samba
- Multiple failed access attempts to sensitive paths
Network Indicators:
- SMB protocol traffic to router on port 445
- Unusual file download patterns from router
SIEM Query:
source="router_logs" AND (protocol="SMB" OR service="samba") AND (path="*../*" OR path="*/etc/*" OR path="*/root/*")