CVE-2025-67091
📋 TL;DR
A race condition vulnerability in GL.iNet AX1800 router firmware allows authenticated attackers to bypass file locking mechanisms and potentially execute arbitrary code with root privileges. The issue affects users of GL.iNet AX1800 routers with firmware versions 4.6.4 and 4.6.8. Attackers must have authenticated access to the LuCI web interface or API to trigger the vulnerable opkg wrapper script.
💻 Affected Systems
- GL.iNet AX1800
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full router compromise with root-level command injection leading to persistent backdoor installation, network traffic interception, and lateral movement to connected devices.
Likely Case
Authenticated attackers gaining root shell access to modify router configuration, install malicious packages, or disrupt network services.
If Mitigated
Limited impact with proper network segmentation and strong authentication controls preventing unauthorized access to the web interface.
🎯 Exploit Status
Exploitation requires authenticated access and race condition timing, but public technical details exist in referenced articles.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in available information
Vendor Advisory: https://www.gl-inet.com/
Restart Required: Yes
Instructions:
1. Check GL.iNet website for security advisories
2. Monitor for firmware updates beyond version 4.6.8
3. Apply available patches through web interface or manual flash
4. Reboot router after update
🔧 Temporary Workarounds
Disable package management via web interface
linuxPrevent triggering of vulnerable opkg-call script through LuCI interface
uci set luci.main.mediaurlbase='/luci-static/bootstrap'
uci commit luci
/etc/init.d/uhttpd restart
Restrict web interface access
linuxLimit access to router administration interface to trusted IPs only
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate router from critical systems
- Enforce strong authentication policies and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface or SSH: cat /etc/glversionCheck Version:
cat /etc/glversion || cat /etc/openwrt_releaseVerify Fix Applied:
Verify firmware version is newer than 4.6.8 and check if /usr/libexec/opkg-call has been updated📡 Detection & Monitoring
Log Indicators:
- Unusual opkg package management activity
- Multiple rapid calls to opkg-call script
- Authentication attempts to web interface from unexpected sources
Network Indicators:
- Unusual outbound connections from router
- DNS queries to suspicious domains
- Unexpected SSH or telnet connections
SIEM Query:
source="router.log" AND ("opkg-call" OR "package install" OR "LuCI") AND user!="admin"🔗 References
- https://aleksazatezalo.medium.com/critical-authentication-bypass-vulnerability-in-gl-inet-gl-axt1800-router-firmware-f19442ca721d
- https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub
- https://www.gl-inet.com/
