CVE-2025-67091
Privilege Escalation via Shell Redirection in GL.iNet AX1800 Opkg Script
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gl.inet | gl.inet_ax1800 | From 4.6.4 (inc) to 4.6.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-377 | Creating and using insecure temporary files can leave application and system data vulnerable to attack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in GL.iNet AX1800 versions 4.6.4 and 4.6.8 within a custom opkg wrapper script located at /usr/libexec/opkg-call. The script runs with root privileges when triggered via the LuCI web interface or authenticated API calls to manage packages. The vulnerable code uses shell redirection to create a lock file in the world-writable /tmp directory, which can be exploited.
How can this vulnerability impact me? :
Because the vulnerable script runs with root privileges and uses a world-writable directory for lock file creation, an attacker could potentially exploit this to escalate privileges or interfere with package management, leading to unauthorized actions or compromise of the device.