CVE-2025-67089
📋 TL;DR
A command injection vulnerability in GL-iNet GL-AXT1800 router firmware allows authenticated attackers to execute arbitrary commands with root privileges by exploiting improper input sanitization in the plugins.install_package RPC method. This affects users running firmware version 4.6.8 on GL-AXT1800 routers.
💻 Affected Systems
- GL-iNet GL-AXT1800 router
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete router compromise allowing attackers to install persistent backdoors, intercept all network traffic, pivot to internal networks, and use the router for botnet activities.
Likely Case
Router takeover leading to DNS hijacking, credential theft from network traffic, and installation of cryptocurrency miners or malware distribution points.
If Mitigated
Limited impact if strong authentication controls prevent unauthorized access to the vulnerable interface.
🎯 Exploit Status
Exploitation requires authentication but is straightforward once authenticated. Public technical details available in the referenced Medium article.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for latest patched version
Vendor Advisory: https://www.gl-inet.com/security-updates/
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to System > Firmware Upgrade. 3. Check for updates and install latest firmware. 4. Reboot router after update completes.
🔧 Temporary Workarounds
Disable remote management
allPrevent external access to router management interface
Change default credentials
allUse strong, unique passwords for router admin access
Restrict admin interface access
allLimit which IP addresses can access the management interface
🧯 If You Can't Patch
- Isolate router on separate VLAN with strict firewall rules
- Implement network monitoring for suspicious command execution patterns
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router admin interface under System > Status. If version is 4.6.8, device is vulnerable.Check Version:
Login to router web interface and navigate to System > Status pageVerify Fix Applied:
After updating, verify firmware version shows a version higher than 4.6.8 in System > Status.📡 Detection & Monitoring
Log Indicators:
- Unusual package installation attempts via RPC
- Suspicious command execution in system logs
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unusual outbound connections from router
- DNS queries to suspicious domains
- Unexpected SSH or telnet connections from router
SIEM Query:
source="router_logs" AND ("install_package" OR "plugins.install_package") AND command="*;*" OR command="*|*" OR command="*`*"