CVE-2025-44018 is a vulnerability identified in the GL-Inet GL-AXT1800 router firmware version 4.7.0. The root cause is improper certificate validation (CWE-295) within the Over-The-Air (OTA) update functionality. Specifically, the device fails to correctly validate the authenticity of firmware update packages, allowing an attacker to craft a malicious .tar file that can trigger a firmware downgrade. This downgrade bypasses security improvements or patches present in later firmware versions, potentially reintroducing previously fixed vulnerabilities or enabling new attack vectors. The attack requires a man-in-the-middle position on the network to intercept and manipulate the OTA update process. The CVSS v3.1 score of 8.3 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, high attack complexity, no privileges required, but user interaction needed. The scope is changed, meaning the attack can affect components beyond the vulnerable device itself. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk if weaponized. The lack of available patches at the time of publication increases the urgency for mitigation. This vulnerability highlights the critical importance of robust certificate validation in firmware update mechanisms to prevent downgrade and MitM attacks.

For European organizations, this vulnerability could lead to severe consequences including unauthorized access to network traffic, interception of sensitive data, and persistent compromise of network infrastructure. Downgraded firmware may re-enable previously patched vulnerabilities, increasing the attack surface and enabling further exploitation such as remote code execution or denial of service. Critical sectors relying on GL-Inet GL-AXT1800 routers for secure connectivity—such as government, finance, healthcare, and industrial control systems—may face data breaches, operational disruptions, and regulatory non-compliance. The man-in-the-middle attack vector means that attackers with network access, such as malicious insiders or compromised local networks, can exploit this vulnerability. Given the interconnected nature of European networks and supply chains, exploitation could propagate beyond individual organizations, impacting broader regional cybersecurity posture.

European organizations should immediately audit their network environments to identify the presence of GL-Inet GL-AXT1800 devices running firmware version 4.7.0. Until an official patch is released, organizations should disable automatic OTA updates or restrict update functionality to trusted network segments. Employ network segmentation and strict access controls to limit exposure of vulnerable devices to untrusted networks. Implement network monitoring to detect unusual OTA update traffic or MitM attack indicators. Use VPNs or encrypted tunnels for device management to reduce the risk of interception. Engage with GL-Inet support channels to obtain firmware updates or advisories. Additionally, consider deploying endpoint detection and response (EDR) solutions to identify potential exploitation attempts. Finally, educate users about the risks of interacting with unexpected update prompts to minimize user interaction exploitation.