External risk intelligence

ALLNET ALL-RUT22GW Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-29269

The affected product is an industrial cellular router. These devices are designed to function as internet edge gateways, providing network connectivity and routing, which typically results in the management interface or the device itself being exposed to the public internet in standard deployment scenarios.

OS Command Injection

Allnet All Rut22gw Firmware

3.3.8

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in specific industrial cellular router firmware that could allow unauthorized remote access and control of affected devices. The issue lies within the command execution capabilities of the affected technology, potentially enabling attackers to compromise the device's operations. At a high level, this could mean that devices with this vulnerable firmware might be controllable by external parties.

  • Allows remote control of devices.
  • Critical if business relies on network edge.
  • Confirm device relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to the popen.cgi endpoint of an exposed ALLNET ALL-RUT22GW device. This could allow them to execute arbitrary operating system commands on the device, potentially leading to full compromise.

  • No authentication required.
  • Triggered by sending a malicious request.
  • Leads to full device compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary operating system commands on the affected device through a network interface. This could impact the device's core functionality and potentially expose it to further compromise.

  • Device command execution.
  • Via a network parameter.
  • Compromise of device operations.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in an industrial cellular router impacts infrastructure or network teams responsible for edge devices. The first step is to identify all deployed units, assess their internet reachability and business criticality, and confirm ownership. A risk-based remediation plan can then be developed, potentially involving coordination with the vendor or implementing temporary risk reduction measures.

  • Identify affected devices and owners.
  • Verify external exposure and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the ALLNET ALL-RUT22GW?

The ALLNET ALL-RUT22GW is an industrial LTE cellular router. Organizations use these devices as network edge gateways to provide connectivity and routing for remote sites or infrastructure, often acting as a bridge between internal networks and external cellular signals.

What does OS command injection mean for CVE-2025-29269?

This vulnerability, classified as CWE-78, allows an attacker to manipulate the device into running unauthorized operating system commands. By injecting malicious instructions, an attacker can bypass standard device functions to gain unauthorized control over the router's operations.

How is this command injection triggered?

The vulnerability is triggered by sending a specially crafted request to the popen.cgi endpoint on the device. An attacker does not need to provide valid login credentials or authenticate in any way to initiate this request. Simply sending the malicious command parameter is sufficient to execute the code; typical administrative web traffic that does not target this specific endpoint will not trigger the bug.

Why is this CVE considered relevant for my network?

According to Halo Surface Signal, this router is designed for internet-edge connectivity, making the management interface frequently exposed to the public internet. If your device is directly reachable from the outside, it is a high-priority target for remote exploitation.

What should I do if I manage these routers?

Start by auditing your network to locate all deployed ALL-RUT22GW units. Determine which devices are reachable from the public internet and evaluate their role in your infrastructure. Once identified, prioritize these high-exposure units while you coordinate with the vendor to determine the availability of firmware updates or temporary risk-reduction strategies.

References