CVE-2025-67089 identifies a critical command injection vulnerability in the GL-iNet GL-AXT1800 router firmware version 4.6.8. The flaw resides in the plugins.install_package RPC method, which is responsible for installing packages on the router. This method fails to properly sanitize the package name input parameter, allowing an authenticated attacker to inject arbitrary shell commands. Because the commands execute with root privileges, the attacker can fully compromise the device, including modifying configurations, installing persistent backdoors, or pivoting to other network assets. The vulnerability requires the attacker to be authenticated to the router, which could be achieved via stolen credentials or weak authentication mechanisms. No public exploits or patches are currently available, and no CVSS score has been assigned yet. The lack of input validation in a critical RPC method highlights a serious security oversight in the firmware. The attack surface includes any network or user with administrative access to the router’s management interface. This vulnerability could be leveraged in targeted attacks against organizations using GL-iNet routers, especially in environments where these devices serve as gateways or VPN endpoints. The root-level command execution capability significantly elevates the risk, as it allows complete control over the device and potentially the internal network. The absence of a CVSS score necessitates an expert severity assessment based on impact and exploitability factors.

For European organizations, exploitation of CVE-2025-67089 could lead to full compromise of affected GL-iNet GL-AXT1800 routers, resulting in loss of confidentiality, integrity, and availability of network traffic passing through these devices. Attackers could intercept sensitive communications, disrupt network services, or use the compromised routers as footholds for lateral movement within corporate networks. This is particularly concerning for organizations relying on these routers for VPN access or critical infrastructure connectivity. The root-level access gained by attackers could also enable installation of persistent malware or manipulation of routing configurations, severely impacting business continuity. Given the router’s role in network perimeter defense, successful exploitation could undermine overall network security posture. The lack of known exploits currently reduces immediate risk, but the presence of a publicly disclosed vulnerability increases the likelihood of future exploitation attempts. European entities with limited patch management capabilities or weak authentication controls are especially vulnerable. The impact extends beyond individual organizations to potentially affect supply chains and critical infrastructure sectors that depend on secure network communications.

1. Immediately restrict administrative access to the GL-iNet GL-AXT1800 routers by limiting management interfaces to trusted IP addresses and enforcing strong authentication mechanisms such as multi-factor authentication. 2. Monitor network traffic and router logs for unusual RPC calls or package installation attempts that could indicate exploitation attempts. 3. Disable or restrict the plugins.install_package RPC method if possible until a firmware patch is released. 4. Engage with GL-iNet support channels to obtain information on firmware updates or patches addressing this vulnerability and apply them promptly once available. 5. Conduct regular audits of router configurations and credentials to ensure no unauthorized changes or access. 6. Segment networks to isolate critical systems from routers exposed to less trusted environments, reducing lateral movement risks. 7. Educate network administrators about this vulnerability and encourage vigilance for suspicious activity related to router management. 8. Consider deploying network-based intrusion detection systems capable of identifying command injection patterns or anomalous RPC usage targeting routers. These measures go beyond generic advice by focusing on immediate access control, monitoring, and configuration hardening specific to the affected device and vulnerability vector.