CVE-2025-67091 is a vulnerability identified in the GL.iNet AX1800 router models running firmware versions 4.6.4 and 4.6.8. The root cause lies in a custom opkg package management wrapper script located at /usr/libexec/opkg-call, which is executed with root privileges when triggered through the LuCI web interface or authenticated API calls. The script uses shell redirection to create a lock file in the /tmp directory, which is world-writable. This insecure handling of file creation allows an attacker with authenticated access to manipulate the lock file, potentially leading to arbitrary command execution with root privileges. Because the script runs as root, successful exploitation can result in full system compromise, including the ability to install malicious software, alter configurations, or pivot to other network assets. The vulnerability requires authentication, which limits exposure to attackers who have gained credentials or have access to the management interface. No public exploits or patches have been reported at the time of publication, increasing the urgency for organizations to implement mitigations. The vulnerability affects the integrity and availability of the device and potentially the confidentiality of network traffic routed through it. The lack of a CVSS score necessitates an assessment based on the technical details, which indicate a high severity due to root-level code execution and the potential for widespread impact on network security.

For European organizations, exploitation of CVE-2025-67091 could lead to complete compromise of GL.iNet AX1800 routers, which are commonly used in small to medium business environments and by some critical infrastructure sectors for secure network connectivity. Attackers gaining root access could intercept, modify, or disrupt network traffic, leading to data breaches, service outages, or lateral movement within corporate networks. The vulnerability undermines device integrity and availability, potentially impacting operational continuity. Given the reliance on these routers for VPN and secure communications, confidentiality risks are also significant. Organizations in sectors such as finance, healthcare, and government, which require stringent network security, could face regulatory and reputational damage if exploited. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially from targeted attackers who may develop custom exploits. The vulnerability's requirement for authentication means insider threats or compromised credentials pose the greatest risk vector.

To mitigate CVE-2025-67091, European organizations should first restrict access to the LuCI web interface and authenticated APIs by implementing network segmentation and firewall rules limiting management access to trusted IP addresses. Enforce strong, unique passwords and multi-factor authentication for device management to reduce the risk of credential compromise. Monitor router logs and network traffic for unusual activity indicative of exploitation attempts. If possible, disable remote management interfaces or restrict them to VPN-only access. Organizations should engage with GL.iNet for firmware updates or patches addressing this vulnerability and apply them promptly once available. As an interim measure, consider replacing affected devices with alternative hardware that does not exhibit this vulnerability, especially in high-risk environments. Conduct regular security audits of network devices and update device inventories to identify and prioritize vulnerable assets. Finally, educate IT staff about the risks associated with authenticated access vulnerabilities and the importance of secure device management practices.