CVE-2025-67090: GL.iNet AX1800 Auth Bypass Vulnerability

CVE-2025-67090 Overview

CVE-2025-67090 is a missing rate limiting vulnerability affecting the LuCI web interface on GL.iNet GL-AX1800 routers running firmware versions 4.6.4 and 4.6.8. The authentication endpoint (/cgi-bin/luci) lacks proper rate limiting or account lockout mechanisms, allowing an unauthenticated attacker on the local network to perform unlimited password attempts against the admin interface. This weakness (CWE-307: Improper Restriction of Excessive Authentication Attempts) enables brute force attacks that could compromise router administration.

Critical Impact

Attackers on the local network can perform unlimited password guessing attempts against the router's administrative interface, potentially gaining full control of the device and network configuration.

Affected Products

• GL.iNet GL-AX1800 Firmware Version 4.6.4
• GL.iNet GL-AX1800 Firmware Version 4.6.8

Discovery Timeline

• 2026-01-08 - CVE-2025-67090 published to NVD
• 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-67090

Vulnerability Analysis

The LuCI web interface on affected GL.iNet AX1800 routers fails to implement fundamental authentication security controls. When users attempt to authenticate to the router's admin panel via the /cgi-bin/luci endpoint, the system does not track failed login attempts or impose any restrictions on authentication frequency.

This lack of rate limiting allows an attacker with network access to the device to systematically attempt password combinations without encountering delays, lockouts, or other defensive measures. Given that many users configure routers with weak or default passwords, this vulnerability significantly increases the likelihood of successful credential compromise.

The firmware vulnerability has been addressed in version 4.8.2, which implements proper authentication controls to prevent brute force attacks.

Root Cause

The root cause is improper restriction of excessive authentication attempts (CWE-307). The authentication handler in the LuCI web interface processes each login request independently without maintaining a counter for failed attempts or implementing time-based throttling. This design flaw allows attackers to submit login requests as fast as their network connection permits.

Attack Vector

This vulnerability requires local network access to exploit. An attacker must be connected to the same network segment as the target router—either via a wired connection or by joining the wireless network. From this position, the attacker can target the router's web administration interface on the /cgi-bin/luci authentication endpoint.

A typical attack scenario involves using automated tools to rapidly submit password guesses against the admin account. Common techniques include dictionary attacks using lists of frequently used passwords, or more exhaustive brute force attacks cycling through character combinations. Without any rate limiting in place, an attacker can attempt thousands of passwords per minute, dramatically reducing the time required to compromise weak credentials.

Detection Methods for CVE-2025-67090

Indicators of Compromise

• Unusually high volume of HTTP POST requests to /cgi-bin/luci from a single source IP address
• Multiple failed authentication attempts in router logs within short time intervals
• Network traffic patterns indicating automated scripted login attempts
• Successful admin login following a series of failed attempts

Detection Strategies

• Monitor router access logs for authentication attempts exceeding normal user behavior patterns
• Implement network-level monitoring to detect high-frequency requests to the router management interface
• Deploy intrusion detection rules to alert on brute force attack signatures targeting LuCI endpoints
• Configure logging on network infrastructure to capture authentication events from affected devices

Monitoring Recommendations

• Enable verbose logging on the GL.iNet AX1800 router if supported by the firmware version
• Aggregate router logs to a central SIEM platform for correlation and alerting
• Set up threshold-based alerts for authentication failures exceeding defined limits
• Regularly review access logs to identify suspicious authentication patterns

How to Mitigate CVE-2025-67090

Immediate Actions Required

• Upgrade affected GL.iNet AX1800 routers to firmware version 4.8.2 or later immediately
• Change the administrative password to a strong, unique passphrase with mixed characters
• Restrict network access to the router's management interface to trusted clients only
• Consider disabling remote management features if not required

Patch Information

GL.iNet has released firmware version 4.8.2 which addresses this vulnerability by implementing proper rate limiting and account lockout mechanisms on the authentication endpoint. Administrators should download the update from the official GL.iNet Security Page and apply it through the router's firmware update interface.

For additional technical context regarding GL.iNet router security research, refer to the Medium Blog Post on Command Injection which discusses related vulnerabilities in GL.iNet products.

Workarounds

• Implement network segmentation to isolate the router management interface from untrusted network segments
• Configure firewall rules to limit which IP addresses can access the /cgi-bin/luci endpoint
• Use a strong administrative password (16+ characters with complexity) to increase brute force difficulty
• Disable the LuCI web interface if command-line management is feasible and enable only when needed