CVE-2025-25684

Name of the Vulnerable Software and Affected Versions GL-INet Beryl AX GL-MT3000 version 4.7.0

Description The issue is related to a lack of validation in the path parameter of the "/download" API endpoint, allowing attackers to download arbitrary files from the device's file system via a crafted POST request.

Recommendations For GL-INet Beryl AX GL-MT3000 version 4.7.0, as a temporary workaround, consider restricting access to the "/download" API endpoint until a patch is available. Avoid using the path parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.