<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Openwrt - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/openwrt/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 12 Jul 2026 12:25:52 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/openwrt/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-61875: Stored Cross-Site Scripting in OpenWrt luci-app-upnp</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61875-luci-app-upnp-xss/</link><pubDate>Sun, 12 Jul 2026 12:25:52 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61875-luci-app-upnp-xss/</guid><description>CVE-2026-61875 details a stored cross-site scripting vulnerability in OpenWrt's luci-app-upnp that allows unauthenticated LAN clients to inject malicious JavaScript into UPnP IGD AddPortMapping SOAP requests, leading to client-side code execution in an administrator's browser when viewing specific web interface pages.</description><content:encoded><![CDATA[<p>CVE-2026-61875 identifies a critical stored cross-site scripting (XSS) vulnerability within <code>luci-app-upnp</code>, a component of OpenWrt, an embedded operating system primarily used on routers. This vulnerability allows unauthenticated clients on the local area network (LAN) to inject arbitrary JavaScript code. The attack vector involves crafting a malicious UPnP IGD AddPortMapping SOAP request and embedding the JavaScript payload within the <code>NewPortMappingDescription</code> field. The <code>miniupnpd</code> daemon, responsible for handling UPnP requests, stores this malicious HTML without proper output encoding. Subsequently, when an administrator accesses the luci-app-upnp web interface and navigates to the UPnP or Status pages, the stored payload is rendered in their browser, executing the injected script. This flaw could lead to various client-side attacks, including session hijacking, credential theft, or further compromise of the administrator's system.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated client gains access to the local area network (LAN) segment where the OpenWrt device is located.</li>
<li>The client crafts a specially designed UPnP IGD AddPortMapping SOAP request.</li>
<li>The malicious JavaScript payload is embedded within the <code>NewPortMappingDescription</code> field of the SOAP request.</li>
<li>The client sends the crafted SOAP request to the OpenWrt device's UPnP service, handled by the <code>miniupnpd</code> daemon.</li>
<li>The <code>miniupnpd</code> daemon processes the request and stores the malicious HTML content in its configuration or data store without sanitization.</li>
<li>An administrator logs into the OpenWrt web interface (<code>luci-app-upnp</code>).</li>
<li>The administrator navigates to the UPnP or Status pages, which display information including the stored port mapping descriptions.</li>
<li>The <code>luci-app-upnp</code> interface renders the stored malicious HTML directly in the administrator's web browser, executing the embedded JavaScript.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploitation of CVE-2026-61875 grants attackers the ability to execute arbitrary client-side code within the context of an administrator's browser session. This can lead to severe consequences, such as session hijacking, allowing the attacker to take over the administrator's web session, perform actions as the administrator, or steal authentication cookies. It could also facilitate credential theft through phishing techniques, browser-based cryptocurrency mining, or redirecting administrators to malicious websites. While specific victim counts are not available, OpenWrt is widely deployed on consumer and small office/home office (SOHO) routers, making a large number of devices potentially vulnerable to unauthenticated LAN-side compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-61875 by updating OpenWrt <code>luci-app-upnp</code> to the latest version as recommended by OpenWrt to address the cross-site scripting vulnerability.</li>
<li>Monitor network traffic for unusual UPnP IGD AddPortMapping SOAP requests, particularly those with unusually long or HTML-like content in the <code>NewPortMappingDescription</code> field, which could indicate attempts to exploit CVE-2026-61875.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cross-site-scripting</category><category>xss</category><category>openwrt</category><category>router</category><category>web-vulnerability</category><category>client-side-execution</category></item><item><title>OpenWrt luci-app-samba4 Vulnerability Allows Remote Command Execution</title><link>https://feed.craftedsignal.io/briefs/2026-07-openwrt-samba4-rce/</link><pubDate>Sun, 12 Jul 2026 12:25:02 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openwrt-samba4-rce/</guid><description>A vulnerability in OpenWrt's luci-app-samba4, identified as CVE-2026-59260, allows authenticated delegated users to achieve remote command execution on the Samba daemon by leveraging improper ACLs that grant `file.exec` permission on `/usr/sbin/smbd`.</description><content:encoded><![CDATA[<p>A high-severity vulnerability, CVE-2026-59260, has been identified in OpenWrt's luci-app-samba4 package, which serves as a web interface for Samba. This flaw stems from an improper <code>read</code> ACL that inadvertently grants <code>file.exec</code> permission on the <code>/usr/sbin/smbd</code> daemon. This misconfiguration allows authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments. Attackers can leverage this by passing arbitrary Samba global options, such as the <code>message command</code> parameter, to a root <code>smbd</code> process. This injection ultimately triggers command execution on the underlying OpenWrt device when SMB protocol messages are processed, leading to remote code execution. This vulnerability poses a significant risk to OpenWrt systems using the vulnerable package, enabling attackers to gain full control over the device.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains credentials for an authenticated delegated user on an OpenWrt device running <code>luci-app-samba4</code>.</li>
<li>The attacker leverages the improper <code>read</code> ACL within <code>luci-app-samba4</code> that affects the <code>/usr/sbin/smbd</code> executable.</li>
<li>The misconfigured ACL grants the authenticated user <code>file.exec</code> permission on the <code>/usr/sbin/smbd</code> daemon, allowing them to initiate its execution.</li>
<li>The attacker executes the <code>/usr/sbin/smbd</code> process, providing specific command-line arguments that are under their control.</li>
<li>During the execution, the attacker injects malicious Samba global options, such as <code>-o &quot;message command = /path/to/arbitrary/script.sh&quot;</code>, into the <code>smbd</code> process.</li>
<li>The <code>smbd</code> process, running with root privileges, processes subsequent SMB protocol messages containing the injected <code>message command</code>.</li>
<li>The arbitrary command specified in the <code>message command</code> option is then executed with root privileges on the OpenWrt device.</li>
<li>The attacker achieves remote code execution (RCE), gaining full control over the compromised OpenWrt system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-59260 allows an authenticated delegated user to achieve remote code execution with root privileges on the OpenWrt device. This level of compromise grants the attacker complete control over the network device. The impact includes, but is not limited to, unauthorized access to network resources, manipulation or exfiltration of sensitive data, establishment of persistent backdoors, and the ability to pivot to other systems within the network. This could lead to significant data breaches, service disruptions, or further attacks on connected infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-59260 by updating the <code>luci-app-samba4</code> package on all affected OpenWrt devices immediately.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM to detect suspicious <code>smbd</code> process creations.</li>
<li>Enable comprehensive process creation logging for Linux systems to capture full command-line arguments for processes like <code>smbd</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>openwrt</category><category>samba</category><category>cve</category><category>rce</category><category>network</category><category>linux</category></item></channel></rss>