CVE-2025-67090 in AX1800
Summary
by MITRE • 01/08/2026
The LuCI web interface on Gl Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. Fix available in version 4.8.2 GL.Inet AX1800 Version 4.6.4 & 4.6.8 lacks rate limiting or account lockout mechanisms on the authentication endpoint (`/cgi-bin/luci`). An unauthenticated attacker on the local network can perform unlimited password attempts against the admin interface.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/08/2026
The vulnerability identified as CVE-2025-67090 affects the LuCI web interface implementation on Gl Inet AX1800 routers running firmware versions 4.6.4 and 4.6.8. This represents a critical authentication flaw that undermines the security posture of network devices deployed in residential and small office environments. The affected device operates with a web-based management interface that lacks fundamental security controls necessary to protect against credential stuffing and brute force attacks. The vulnerability specifically targets the authentication endpoint at /cgi-bin/luci which serves as the primary interface for administrative access to the router configuration. The absence of rate limiting mechanisms and account lockout procedures creates an exploitable condition that allows attackers to conduct unlimited password guessing attempts without detection or restriction.
From a technical perspective, this vulnerability manifests as a lack of authentication throttling controls that would normally prevent attackers from systematically attempting multiple password combinations against the administrative account. The absence of such protections creates a path for automated attack tools to rapidly cycle through common password dictionaries or exploit known weak credentials without encountering blocking mechanisms. This flaw directly maps to CWE-307 - Improper Restriction of Excessive Authentication Attempts, which specifically addresses insufficient protection against repeated authentication attempts that could lead to credential compromise. The vulnerability exists because the web application fails to implement proper session management controls that would limit the frequency of authentication requests from a single source, thereby enabling attackers to leverage the device's exposed administrative interface for unauthorized access.
The operational impact of this vulnerability extends beyond simple credential theft to potentially enable full administrative control of affected devices. An attacker with local network access can leverage this vulnerability to gain complete control over router configurations, including network settings, firewall rules, DNS configurations, and potentially establish persistent backdoors. The local network access requirement does not significantly limit the attack surface since many residential and small office networks do not adequately segment their wired and wireless networks from administrative access points. This vulnerability creates a significant risk for organizations that deploy these devices without proper network segmentation, as attackers could potentially gain access to the entire local network through the compromised router. The attack vector is particularly concerning because it requires minimal technical expertise to exploit, making it accessible to threat actors with basic knowledge of network security principles.
Mitigation strategies for this vulnerability should focus on immediate firmware updates to version 4.8.2 which contains the necessary rate limiting and account lockout mechanisms. Network administrators should prioritize updating affected devices as a critical security measure, particularly in environments where local network access is not properly restricted. Additional protective measures include implementing network segmentation to isolate administrative interfaces from general user access, configuring firewall rules to restrict access to the LuCI interface to specific trusted IP addresses, and enabling multi-factor authentication where available. The remediation process should also include monitoring network traffic for unusual authentication patterns that might indicate brute force attack attempts against the affected interface. Organizations should also consider implementing network access control policies that require secure authentication methods for all administrative interfaces and establish regular vulnerability scanning procedures to identify similar weaknesses in other network infrastructure components. This vulnerability demonstrates the importance of implementing defense-in-depth strategies that protect against both external and internal threats, particularly in network devices that are often deployed with minimal security hardening.