CVE-2025-67089

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions GL-iNet GL-AXT1800 router firmware version 4.6.8

Description A command injection issue exists in the plugins.install package RPC method. The method does not properly sanitize user input in package names, allowing authenticated attackers to execute arbitrary commands with root privileges. The vulnerable parameter is the package name provided to the plugins.install package RPC method.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the plugins.install package RPC method.

Exploit

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2025-67089

Affected Products

Gl-Ax1800

CVE-2025-67089

Weakness Enumeration

Related Identifiers

Affected Products

References · 9