GRAX66 & GRAX66E (AX6600/AXE6600) Router IPV6 Firewall Critical Vulnerability

[anthony.metzidi153b02d0]

firmware version = 753678 (latest)

Summary
GRAX66 Router has a critical vulnerability in IPv6 firewall . The default IPv6 firewall rule is ALLOW (permissive) . The configuration assumes rules will be defined by the GUI, but no IPv6 GUI exists

Evidence.

Port scan of known host

nmap -Pn -6 'xxx:xxxxx/128'
PORT STATE SERVICE
22/tcp open ssh
2179/tcp open vmrdp
45100/tcp closed unknown
48080/tcp closed unknown

Port Scan of Network
nmap -6 -Pn -n -F -iL 2026-03-27-hosts.txt -oG scan_results_fast.txt
# shows 6 hosts with open (unfiltered) ports

Review of GRAX66 Router Firmware

/bin/firewallv6.sh (IPv6 Security Logic)​

This script is responsible for building the ip6tables rule tree. It defines the structure for INPUT, FORWARD, and OUTPUT chains. However, the current version is permissive by default because the command to set the global policy to DROP is commented out. It attempts to load specific rules (like Port Forwarding or DMZ) by executing small helper scripts in /var/ip6tables/, which are generated dynamically based on your GUI settings. If these files are missing or the main policy is not set, the router passes all IPv6 traffic unfiltered.

# Issue 1: Default Permissive Policy (The 'DROP' command is commented out)

start()
{
    if [ `${ipt_filter} -S | grep "\-N" | wc -l` -eq 0 ]; then
        # set_main_chain_policy  <-- Policy stays ACCEPT; traffic is never blocked.
        gen_def_filter_chain


# Issue 2: Assuming GUI rules exist in volatile /var/ (GUI DOES NOT HAVE IPV6 support, these rules are never written)
    if [ "$(flash_get Device.Acelink.PortForwarding.Enable)" = "true" ];then
        ${ipt_filter} -A FORWARD_WAN${wanIndex} -j FORWARD_PORTFORWARD_WAN${wanIndex}
        sh /var/ip6tables/FORWARD_PORTFORWARD_WAN${wanIndex} 2>/dev/null
    fi

 

[anthony.metzidi153b02d0]

Here are the tests that were run to confirm that ipv6 firewall is open

1. port scan of a single host (above) from the internet
2. port scan of entire LAN public IPv6 addresses. No hosts or ports were filtered by the firewall. All open ports on the LAN were open to the internet.
3. Export IPv6 IPTables config showing default=ACCEPT
4. review of firewallv6.sh to identify default=OPEN configuration.

 

[Nichrome]

Hi
Best I can suggest is that you inform MSI directly.
I don't think many of us have MSI router, and even less have the knowledge. I've the knowledge, but not the router as it's too basic for my needs
>>How to contact MSI.<<
I'll also see if I can get attention to this

 

[anthony.metzidi153b02d0]

> Best I can suggest is that you inform MSI directly.

I escalated to CS & PSIRT and got a response. I wanted to also say thanks I've reported a lot of issues to this board and you've been one of the most supportive team members when I've had issues.

> I've the knowledge, but not the router as it's too basic for my needs

The hardware is stellar -- I've tested many other devices and this one has incredible WIFI performance (range, latency, throughput). It's hamstrung with abysmal software.

 

[Nichrome]

I escalated to CS & PSIRT and got a response

Great. Hopefully MSI releases an update soon enough.

 

[Nichrome]

MSI is already looking into it.