CVE-2025-67089

Published: Jan 8, 2026Modified: Jan 16, 2026

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A command injection vulnerability exists in the GL-iNet GL-AXT1800 router firmware v4.6.8. The vulnerability is present in the `plugins.install_package` RPC method, which fails to properly sanitize user input in package names. Authenticated attackers can exploit this to execute arbitrary commands with root privileges

Affected (3)

Products: Gl Inet: Gl Axt1800 Firmware

1 product

Gl Axt1800 Firmware

Configuration A

3 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Gl Inet Gl Axt1800 Firmware	Version 4.2.0
Gl Inet Gl Axt1800 Firmware	Version 4.6.4
Gl Inet Gl Axt1800 Firmware	Version 4.6.8

Running on/with	Platform Versions
Gl Inet Gl Axt1800	All versions

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (2)

https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub

Source: cve@mitre.org

ExploitThird Party AdvisoryPress/Media Coverage

https://www.gl-inet.com/security-updates/

Source: cve@mitre.org

Vendor Advisory

Timeline

No history available yet.