Why Your 5G Router Is Likely Running a Root-Level Backdoor

TLDR: Recent research into 5G and LTE routers from manufacturers like Tuoshi and Kuwfi reveals a systemic failure in firmware security, where insecure API endpoints allow for pre-authentication remote code execution. Attackers can bypass authentication via simple request manipulation to gain root access, send arbitrary SMS messages, and compromise network configurations. Pentesters should prioritize auditing these devices for 'goform' endpoints, as they are frequently exposed to the WAN and provide an easy path to full device takeover.

Hardware security often feels like a game of whack-a-mole, but the recent findings presented at DEF CON 2025 regarding 5G and LTE routers suggest the game is rigged. We are not talking about obscure, high-end enterprise gear that requires a specialized lab to audit. We are talking about the cheap, ubiquitous hotspots and CPE routers that power remote offices, IoT deployments, and home networks. The research demonstrates that these devices are shipping with critical, pre-authentication vulnerabilities that turn a simple web request into a full root shell.

The 'goform' Vulnerability Pattern

The core of the issue lies in how these devices handle API requests. Many of these routers use a common firmware component that exposes endpoints under the /goform/ path. These endpoints are intended to handle configuration changes, but they lack proper input validation and authentication checks.

In many cases, the device assumes that if a request hits the internal web server, it must be legitimate. This is a classic failure of Broken Access Control. By manipulating the parameters sent to these forms, an attacker can trigger command injection. The research highlights that these devices often pipe user-supplied input directly into system calls. If you can control the input, you control the shell.

For example, a request to an endpoint like /goform/goform_get_cmd_process might look benign, but when combined with a crafted payload, it becomes a weapon. The following command structure is typical of what researchers found:

curl -X POST "http://192.168.0.1/goform/goform_set_cmd_process" \
     -d "command=AT+CGMI;[INJECTED_COMMAND]"

This isn't just a theoretical bug. The researchers demonstrated that by sending these requests, they could extract sensitive information, such as the contents of /etc/shadow, or force the device to execute arbitrary code. Because these devices often run as root, the impact is total.

From Command Injection to Full Compromise

The technical depth of these vulnerabilities is alarming because they span multiple manufacturers. The research identified that many of these devices share the same underlying SDKs and binary structures. When you see CVE-2025-43989 or similar identifiers, you are looking at a failure to sanitize input before passing it to the system's command processor.

One of the most dangerous aspects is the ability to send arbitrary SMS messages. By interacting with the modem's AT command interface—which is exposed through these vulnerable web forms—an attacker can send messages from the device's SIM card. This turns the router into a platform for phishing or bypassing multi-factor authentication (MFA) if the device is used for critical infrastructure.

The demo provided in the research showed a simple Python script that automated the exploitation process. It didn't require complex exploit chains or memory corruption techniques. It was a straightforward injection that resulted in a root shell. This level of accessibility means that even low-skill actors can easily weaponize these devices.

Real-World Impact for Pentesters

If you are conducting a penetration test on a client that uses these devices, do not assume they are secure just because they are behind a firewall. Many of these routers are configured with remote management enabled, or they are used in environments where the WAN interface is directly exposed to the internet.

When auditing these devices, start by mapping the web interface. Look for the /goform/ path. If you find it, use Burp Suite to fuzz the parameters. You are looking for any field that interacts with system settings, such as network configuration or diagnostic tools. If you can inject a semicolon or a pipe character, you have likely found a path to RCE.

The impact of a successful exploit is not limited to the router. Once you have root access, you can pivot into the internal network, intercept traffic, or use the device as a persistent foothold. In an era where IoT security is often an afterthought, these routers represent a massive, unpatched attack surface.

What Defenders Can Do

Defenders are in a tough spot because these devices often lack a clear path for firmware updates. If you are managing these devices, the first step is to disable remote management immediately. If the device does not need to be accessible from the WAN, ensure it is not.

Beyond that, monitor for unusual traffic patterns originating from the router itself. If a hotspot starts sending SMS messages or making unexpected outbound connections to unknown IPs, it is likely compromised. Finally, push your vendors for a software bill of materials (SBOM). If they cannot tell you what components are in their firmware, they cannot tell you if those components are vulnerable.

The industry needs to stop treating embedded firmware as a "set it and forget it" technology. These routers are essentially small, poorly secured Linux servers. Until manufacturers start taking basic input validation seriously, they will continue to be the easiest way into a network. If you are a researcher, keep digging into these devices. The next critical vulnerability is likely just one goform request away.