Overview
CVE-2025-44018 is a high-severity vulnerability affecting the Over-The-Air (OTA) update functionality of GL-iNet GL-AXT1800 routers running firmware version 4.7.0. This vulnerability allows an attacker to perform a firmware downgrade by exploiting a weakness in the way the router handles .tar files during the update process. Successful exploitation of this vulnerability can lead to complete compromise of the device.
Technical Details
The vulnerability stems from insufficient validation of the firmware image during the OTA update process. An attacker can craft a malicious .tar file containing an older, potentially vulnerable firmware version. By intercepting the legitimate update process through a man-in-the-middle (MITM) attack, the attacker can inject this malicious .tar file into the update stream. The router, lacking adequate verification mechanisms, then installs the downgraded firmware. This downgrade could reintroduce known vulnerabilities that were previously patched, or allow the attacker to gain unauthorized access and control over the router. The specific weakness lies in the lack of signature or version verification when processing the update package. This allows a specially crafted package, which doesn’t match the expected version or signature, to be installed. This leads to an exploitable state on the affected router.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-44018 is 8.3 (HIGH).
- Base Score: 8.3
- Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Explanation:
- Attack Vector (AV): Adjacent Network (A) – An attacker on the same local network segment can exploit the vulnerability.
- Attack Complexity (AC): High (H) – Specialized access conditions or circumstances must exist in order to exploit the vulnerability. A MITM attack requires careful timing and network positioning.
- Privileges Required (PR): None (N) – No privileges are required to exploit this vulnerability.
- User Interaction (UI): Required (R) – User interaction is required. The user typically initiates the update process which is then intercepted.
- Scope (S): Changed (C) – An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the attacker can gain control over the router and potentially other devices on the network.
- Confidentiality (C): High (H) – There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker.
- Integrity (I): High (H) – There is total loss of integrity, resulting in a complete loss of system protection. The attacker can modify any files or settings.
- Availability (A): High (H) – There is total loss of availability, resulting in the attacker being able to fully disrupt or make unavailable the impacted component.
Possible Impact
Successful exploitation of CVE-2025-44018 can have severe consequences:
- Complete Router Compromise: An attacker can gain full control of the router, allowing them to modify settings, intercept network traffic, and potentially use the router as a launchpad for further attacks.
- Data Theft: Sensitive data transmitted through the router can be intercepted and stolen.
- Malware Distribution: The router can be used to distribute malware to other devices on the network.
- Network Disruption: The router can be used to disrupt network services and cause denial-of-service conditions.
- Reintroduction of Known Vulnerabilities: Downgrading the firmware brings back vulnerabilities that were previously patched, exposing the router to known attacks.
Mitigation and Patch Steps
To mitigate the risk of CVE-2025-44018, the following steps are recommended:
- Upgrade Firmware: Upgrade the GL-AXT1800 router to the latest available firmware version provided by GL-iNet. This patch should include a fix for the vulnerability. Check the official GL-iNet website for updates.
- Secure Network: Ensure that your network is secured with a strong password and that Wi-Fi encryption (WPA3 is recommended) is enabled.
- Use VPN: Consider using a Virtual Private Network (VPN) to encrypt your internet traffic and protect against MITM attacks, especially on untrusted networks.
- Monitor Network Traffic: Implement network monitoring tools to detect suspicious activity and potential MITM attacks.
- Verify HTTPS Connections: Always ensure that you are connecting to websites using HTTPS. Look for the padlock icon in your browser’s address bar.