CVE-2025-67089 is a command injection vulnerability identified in the GL-iNet GL-AXT1800 router firmware version 4.6.8. The flaw exists in the `plugins.install_package` RPC method, which is responsible for installing software packages on the device. This method fails to properly sanitize user-supplied input in the package name parameter, allowing an authenticated attacker to inject arbitrary shell commands. Because the router executes these commands with root privileges, successful exploitation grants full control over the device. The vulnerability is remotely exploitable over the network, requiring the attacker to authenticate to the router's management interface but not requiring any additional user interaction. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality and integrity, with no impact on availability. Although no public exploits have been reported yet, the severity and ease of exploitation make this a critical concern for affected users. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command), a common and dangerous injection flaw. No patches or vendor advisories are currently available, increasing the urgency for defensive measures. Attackers exploiting this vulnerability could manipulate router configurations, intercept or redirect network traffic, or use the device as a foothold for further network compromise.

For European organizations, exploitation of this vulnerability could lead to complete compromise of affected routers, which are often used as network gateways or in branch office environments. This can result in unauthorized access to internal networks, interception of sensitive communications, and disruption of network operations. The root-level access gained by attackers could allow installation of persistent malware, creation of backdoors, or participation in botnets. Confidentiality and integrity of data traversing the compromised routers would be severely impacted. Given the critical role of routers in network security, this vulnerability could facilitate lateral movement within corporate networks or critical infrastructure systems. Organizations in sectors such as finance, healthcare, government, and telecommunications are particularly at risk due to the sensitivity of their data and the strategic importance of their networks. The lack of available patches increases the window of exposure, emphasizing the need for immediate mitigation steps.

1. Immediately restrict access to the router’s management interface to trusted networks and users only, using network segmentation and firewall rules. 2. Enforce strong authentication mechanisms and change default credentials to prevent unauthorized login. 3. Monitor router logs and network traffic for unusual activity indicative of exploitation attempts, such as unexpected RPC calls or command executions. 4. Disable or restrict the use of the `plugins.install_package` RPC method if possible, or limit its accessibility to highly trusted administrators. 5. Implement network-level protections such as intrusion detection/prevention systems (IDS/IPS) to detect command injection patterns or anomalous behavior. 6. Regularly check for firmware updates from GL-iNet and apply patches promptly once available. 7. Consider deploying additional endpoint security controls on devices behind the router to detect lateral movement or unusual network behavior. 8. Educate network administrators about this vulnerability and the importance of monitoring and access controls.