CVE-2025-29269 is an OS command injection vulnerability identified in the ALLNET ALL-RUT22GW router firmware version 3.3.8. The vulnerability resides in the 'command' parameter of the popen.cgi endpoint, which is used to execute system commands. Due to insufficient input validation, an unauthenticated remote attacker can inject arbitrary operating system commands, leading to full system compromise. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), which typically allows attackers to execute arbitrary commands with the privileges of the affected application. The CVSS v3.1 base score is 9.8, reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). No patches or fixes are currently listed, and no exploits are known in the wild yet, but the critical nature and ease of exploitation make it a high-risk vulnerability. Attackers exploiting this flaw could gain control over the router, intercept or manipulate network traffic, deploy malware, or pivot to internal networks. The router is commonly used in small to medium enterprise and industrial environments, making it a valuable target for attackers.

For European organizations, exploitation of this vulnerability could lead to severe consequences including unauthorized access to internal networks, interception of sensitive communications, disruption of network services, and potential data exfiltration. Critical infrastructure relying on these routers could face operational outages or be leveraged as entry points for broader attacks. The ability to execute arbitrary commands remotely without authentication significantly raises the risk profile, especially for organizations with remote management enabled or exposed devices. The compromise of routers in sectors such as manufacturing, energy, or telecommunications could have cascading effects on supply chains and service availability. Additionally, the lack of known patches increases the window of exposure, necessitating immediate defensive actions. The vulnerability could also be leveraged for persistent access or to deploy ransomware within affected networks.

Organizations should immediately audit their networks to identify the presence of ALLNET ALL-RUT22GW routers running vulnerable firmware. Until a patch is released, it is critical to disable remote management interfaces and restrict access to the popen.cgi endpoint via firewall rules or network segmentation. Implement strict network access controls to limit exposure of management interfaces to trusted internal networks only. Monitor network traffic for unusual requests targeting the popen.cgi endpoint or suspicious command execution patterns. Employ intrusion detection/prevention systems with updated signatures to detect exploitation attempts. Regularly back up router configurations and maintain incident response plans tailored to network device compromise. Once a vendor patch or firmware update becomes available, prioritize its deployment across all affected devices. Additionally, consider replacing vulnerable hardware if updates are not forthcoming or feasible.