CVE-2025-2811 is a vulnerability identified in multiple GL.iNet router models running firmware version 4.x. The affected devices include a broad range of GL.iNet products such as GL-A1300 Slate Plus, GL-AR300M16 Shadow, GL-AR750 Creta, GL-AX1800 Flint, GL-B1300 Convexa-B, GL-MT1300 Beryl, GL-X3000 Spitz AX, among others. The vulnerability arises from inefficient regular expression complexity within an unspecified API component of the firmware. This inefficiency can be exploited by an attacker to cause excessive resource consumption, potentially leading to denial of service (DoS) conditions. The vulnerability does not require user interaction, but it does require low-level privileges (PR:L) and network access (AV:A), indicating that an attacker must have some authenticated access to the device or network segment to exploit it. The CVSS 4.0 base score is 6.9 (medium severity), reflecting a moderate impact primarily on availability (VA:H) without affecting confidentiality or integrity. No known exploits are currently reported in the wild, and no patches or mitigation links have been published yet. The root cause is related to inefficient handling of regular expressions, which can cause the device to consume excessive CPU or memory resources when processing crafted inputs, leading to service degradation or outage. Given the wide range of affected models, the vulnerability poses a risk to organizations relying on these GL.iNet devices for network connectivity or edge routing functions.

For European organizations using GL.iNet routers, this vulnerability could result in network disruptions due to denial of service caused by resource exhaustion. This can impact business continuity, especially for small and medium enterprises or remote offices that depend on these devices for internet access or VPN connectivity. While confidentiality and integrity are not directly impacted, availability degradation can interrupt critical communications and services. The requirement for low-level privileges and network access limits the attack surface to insiders or attackers who have already gained some foothold in the network, but it still represents a significant risk in environments with less stringent access controls. The broad product range affected means that organizations with diverse GL.iNet deployments could face widespread exposure. Additionally, the lack of patches or mitigations at present increases the window of vulnerability. Disruptions could affect sectors reliant on stable network infrastructure, including finance, healthcare, and manufacturing. The vulnerability could also be leveraged as part of a multi-stage attack to degrade defenses or distract security teams.

1. Immediate mitigation should focus on restricting access to the management interfaces and APIs of affected GL.iNet devices to trusted administrators only, using network segmentation and access control lists (ACLs). 2. Monitor device performance and logs for signs of resource exhaustion or unusual API request patterns that could indicate exploitation attempts. 3. Disable or limit features that expose the vulnerable API component if possible, pending vendor patches. 4. Implement strict authentication and authorization controls to prevent unauthorized access, including strong password policies and multi-factor authentication where supported. 5. Regularly check for firmware updates from GL.iNet and apply patches as soon as they become available. 6. Consider deploying network-based intrusion detection/prevention systems (IDS/IPS) to detect anomalous traffic patterns targeting these devices. 7. For critical environments, evaluate the feasibility of replacing affected devices with alternatives not impacted by this vulnerability until a patch is released. 8. Educate network administrators about this vulnerability and encourage vigilance for related indicators of compromise.