CVE-2025-67089: GL-iNet GL-AXT1800 Firmware RCE Vulnerability

CVE-2025-67089 Overview

CVE-2025-67089 is a command injection vulnerability in the GL-iNet GL-AXT1800 router firmware version 4.6.8. The flaw resides in the plugins.install_package Remote Procedure Call (RPC) method, which does not properly sanitize user-supplied input within package names. Authenticated attackers can inject shell metacharacters into package name parameters and execute arbitrary commands with root privileges on the underlying operating system. The vulnerability is classified under [CWE-77] (Improper Neutralization of Special Elements used in a Command).

Critical Impact

Authenticated attackers can achieve root-level command execution on affected GL-iNet GL-AXT1800 routers, enabling full device compromise, persistent backdoor installation, and pivoting into adjacent network segments.

Affected Products

• GL-iNet GL-AXT1800 hardware appliance
• GL-iNet GL-AXT1800 firmware version 4.2.0
• GL-iNet GL-AXT1800 firmware versions 4.6.4 and 4.6.8

Discovery Timeline

• 2026-01-08 - CVE-2025-67089 published to the National Vulnerability Database (NVD)
• 2026-01-16 - Last updated in NVD database

Technical Details for CVE-2025-67089

Vulnerability Analysis

The GL-AXT1800 exposes a JSON-RPC management interface used by the device's web UI to install and manage OpenWrt-style packages. The plugins.install_package method accepts a package name parameter that is concatenated into a shell command executed by the router's backend service. Because the parameter is passed without input validation or argument escaping, an authenticated attacker can append shell metacharacters such as ;, |, &&, or backticks to chain arbitrary commands. The resulting commands run as root, granting full control of the device.

The issue requires valid authentication credentials, which constrains the attacker pool to users with access to the management interface. However, GL-iNet routers are often deployed with default credentials, exposed to local networks, and used in travel or remote-work scenarios where credential reuse is common.

Root Cause

The root cause is missing input sanitization in the plugins.install_package RPC handler. The handler treats the package name as a trusted string and forwards it directly to a shell interpreter. No allow-listing of expected package names, no neutralization of shell metacharacters, and no use of safe execution APIs are applied before invocation.

Attack Vector

An authenticated attacker sends a crafted JSON-RPC request to the router's management endpoint with a malicious package_name field. The payload embeds shell metacharacters followed by attacker-controlled commands. When the firmware processes the request, the shell interpreter executes the injected commands as the root user. The attacker can then drop persistence, exfiltrate configuration data including VPN credentials, or use the router as a network pivot.

No verified public exploit code is available. See the Medium technical writeup on the command injection for additional context on the affected RPC method.

Detection Methods for CVE-2025-67089

Indicators of Compromise

• JSON-RPC requests to the router's management interface invoking plugins.install_package with non-standard characters in the package_name field, including ;, |, &, $(), or backticks.
• Unexpected outbound connections originating from the router to attacker-controlled infrastructure following package install requests.
• New or modified files in /tmp, /etc/, or /usr/bin/ on the device, or unfamiliar processes running under root.
• Authentication log entries showing successful logins from unexpected source addresses prior to package management activity.

Detection Strategies

• Inspect HTTP/HTTPS traffic to the router management interface for JSON-RPC payloads containing shell metacharacters in package_name parameters.
• Correlate router authentication events with subsequent install_package RPC calls to flag anomalous post-authentication command sequences.
• Baseline normal package management activity and alert on installations occurring outside maintenance windows or from unusual client addresses.

Monitoring Recommendations

• Forward router syslog, including uhttpd and RPC daemon logs, to a centralized logging platform for retention and correlation.
• Monitor for unexpected outbound traffic from the router itself, particularly DNS, ICMP, or HTTPS connections to unrecognized destinations.
• Track firmware version inventory across managed GL-iNet devices and alert on any device still running firmware v4.6.8 or earlier.

How to Mitigate CVE-2025-67089

Immediate Actions Required

• Upgrade affected GL-AXT1800 devices to the latest firmware version published on the GL.iNet Security Updates page.
• Restrict access to the router's management interface to trusted administrative networks and disable remote management on WAN interfaces.
• Rotate all administrative credentials on affected routers and review accounts for unauthorized additions.
• Audit recent plugins.install_package activity in router logs for signs of exploitation.

Patch Information

GL.iNet publishes firmware updates and security advisories through its official security updates portal. Administrators should apply the firmware release that supersedes version 4.6.8 for the GL-AXT1800 platform. Verify the firmware signature and checksum prior to flashing, and reboot the device to complete the update.

Workarounds

• Place the router's management interface behind a VPN or jump host so the JSON-RPC endpoint is not reachable from untrusted networks.
• Enforce strong, unique administrative passwords and enable any available account lockout or rate-limiting features.
• Segment the router from sensitive internal networks until patching is complete, limiting blast radius if exploitation occurs.

# Configuration example: restrict management interface to LAN only
uci set uhttpd.main.listen_http='192.168.8.1:80'
uci set uhttpd.main.listen_https='192.168.8.1:443'
uci delete uhttpd.main.listen_http='0.0.0.0:80'
uci commit uhttpd
/etc/init.d/uhttpd restart