CVE-2025-67090
📋 TL;DR
The LuCI web interface on GL.Inet AX1800 routers lacks rate limiting or account lockout mechanisms on the authentication endpoint, allowing unauthenticated attackers on the local network to perform unlimited password attempts against the admin interface. This vulnerability affects GL.Inet AX1800 routers running firmware versions 4.6.4 and 4.6.8.
💻 Affected Systems
- GL.Inet AX1800
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could brute-force the admin password, gain full administrative control of the router, and potentially pivot to other network devices or intercept/modify network traffic.
Likely Case
Local network attackers could gain admin access through password brute-forcing, enabling them to change router settings, intercept traffic, or install malicious firmware.
If Mitigated
With proper network segmentation and access controls, the attack surface is limited to authorized local network segments only.
🎯 Exploit Status
Exploitation requires only network access and basic brute-forcing tools. No authentication is required to attempt password guesses.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.8.2
Vendor Advisory: https://www.gl-inet.com/security/
Restart Required: Yes
Instructions:
1. Log into the router admin interface. 2. Navigate to System > Upgrade. 3. Upload firmware version 4.8.2. 4. Wait for upgrade to complete and router to reboot.
🔧 Temporary Workarounds
Network Segmentation
allIsolate the router management interface to a dedicated VLAN or restrict access to trusted IP addresses only.
Strong Password Enforcement
allUse a long, complex admin password that is resistant to brute-force attacks.
🧯 If You Can't Patch
- Implement network access controls to restrict access to the router's web interface (port 80/443) to trusted devices only.
- Change the admin password to a long, complex passphrase that would be difficult to brute-force.
🔍 How to Verify
Check if Vulnerable:
Check the router firmware version via the web interface at System > Status. If version is 4.6.4 or 4.6.8, the device is vulnerable.Check Version:
Connect to router web interface and navigate to System > Status pageVerify Fix Applied:
After upgrading, verify the firmware version shows 4.8.2 or higher in System > Status.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from the same IP address
- Unusual authentication patterns to /cgi-bin/luci endpoint
Network Indicators:
- High volume of HTTP POST requests to /cgi-bin/luci from single source
- Brute-force tool patterns in HTTP traffic
SIEM Query:
source="router_logs" AND (url="/cgi-bin/luci" AND status="401") | stats count by src_ip | where count > 10🔗 References
- https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51
- https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub
- https://www.gl-inet.com/security/
