CVE-2025-67090

low-risk
Published 2026-01-08

The LuCI web interface on Gl Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. Fix available in version 4.8.2 GL.Inet AX1800 Version 4.6.4 & 4.6.8 lacks rate limiting or account lockout mechanisms on the authentication endpoint (`/cgi-bin/luci`). An unauthenticated attacker on the local network can perform unlimited password attempts against the admin interface.

Do I need to act?

-
0.17% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.1/10 Medium
LOCAL / LOW complexity

Affected Products (3)

Affected Vendors

Gl-Inet

References (3)

Exploit https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl...
Exploit https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl...
Broken Link https://www.gl-inet.com/security/
27
/ 100
low-risk
Severity 17/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 9/34 · Low