{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/openwrt/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-61876"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["LuCI"],"_cs_severities":["high"],"_cs_tags":["xss","web-vulnerability","network-device","router","dhcpv6"],"_cs_type":"advisory","_cs_vendors":["OpenWrt"],"content_html":"\u003cp\u003eCVE-2026-61876 identifies a high-severity stored Cross-Site Scripting (XSS) vulnerability affecting LuCI, the default web interface for OpenWrt-based routers and network devices. This flaw arises from LuCI's failure to properly encode DHCPv6 lease hostnames before displaying them in administrative status tables. An attacker with adjacent network access can craft a malicious DHCPv6 Client FQDN containing script tags or other HTML markup. When an administrator subsequently views the DHCPv6 lease status page within the LuCI web interface, the injected malicious code executes in their browser. This client-side code execution can lead to various compromises within the administrative session, including session hijacking, credential theft, or unauthorized actions within the LuCI interface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains presence on the same adjacent network segment as the vulnerable LuCI-managed OpenWrt device.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a DHCPv6 Client Fully Qualified Domain Name (FQDN) containing a malicious XSS payload, such as \u003ccode\u003e\u0026lt;script\u0026gt;alert(document.domain)\u0026lt;/script\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a DHCPv6 request to the OpenWrt device, including the malicious FQDN in the request.\u003c/li\u003e\n\u003cli\u003eThe OpenWrt device, running the LuCI web interface, processes the DHCPv6 request and stores the malicious FQDN in its internal DHCP lease table.\u003c/li\u003e\n\u003cli\u003eAn administrator logs into the LuCI web interface and navigates to the DHCPv6 lease status page to view network client information.\u003c/li\u003e\n\u003cli\u003eThe LuCI web interface queries the stored DHCP lease data, retrieves the malicious FQDN, and constructs an HTML response for the administrator's browser.\u003c/li\u003e\n\u003cli\u003eDue to improper encoding, LuCI embeds the attacker's malicious FQDN directly into the HTML without sanitization.\u003c/li\u003e\n\u003cli\u003eThe administrator's browser renders the page, executing the injected script within the context of the LuCI administrative interface, potentially leading to session hijacking or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-61876 results in client-side code execution within an administrator's browser while they are logged into the LuCI web interface. This can lead to session hijacking, allowing the attacker to take over the administrator's session and perform actions on the OpenWrt device. Attackers could also steal credentials, deface the administrative interface, or redirect the administrator to malicious websites. Such compromise of a router's administrative interface could grant attackers control over network configuration, traffic routing, and potentially provide a foothold for further attacks against the internal network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-61876 by updating LuCI to a version that properly encodes DHCPv6 lease hostnames. Refer to the OpenWrt project's advisories for specific version updates.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict DHCPv6 requests to trusted devices and prevent adjacent network attackers from reaching the router's DHCP service.\u003c/li\u003e\n\u003cli\u003eEducate administrators on the risks of XSS and suspicious behavior when interacting with web interfaces, even trusted ones.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-12T12:26:40Z","date_published":"2026-07-12T12:26:40Z","id":"https://feed.craftedsignal.io/briefs/2026-07-luci-dhcpv6-xss/","summary":"LuCI versions are vulnerable to CVE-2026-61876, a stored Cross-Site Scripting (XSS) flaw in their DHCPv6 lease hostname rendering logic, allowing an adjacent network attacker to inject malicious HTML markup that executes in an administrator's browser when viewing DHCP lease status pages.","title":"LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting Vulnerability (CVE-2026-61876)","url":"https://feed.craftedsignal.io/briefs/2026-07-luci-dhcpv6-xss/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-61875"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["luci-app-upnp"],"_cs_severities":["high"],"_cs_tags":["cross-site-scripting","xss","openwrt","router","web-vulnerability","client-side-execution"],"_cs_type":"advisory","_cs_vendors":["OpenWrt"],"content_html":"\u003cp\u003eCVE-2026-61875 identifies a critical stored cross-site scripting (XSS) vulnerability within \u003ccode\u003eluci-app-upnp\u003c/code\u003e, a component of OpenWrt, an embedded operating system primarily used on routers. This vulnerability allows unauthenticated clients on the local area network (LAN) to inject arbitrary JavaScript code. The attack vector involves crafting a malicious UPnP IGD AddPortMapping SOAP request and embedding the JavaScript payload within the \u003ccode\u003eNewPortMappingDescription\u003c/code\u003e field. The \u003ccode\u003eminiupnpd\u003c/code\u003e daemon, responsible for handling UPnP requests, stores this malicious HTML without proper output encoding. Subsequently, when an administrator accesses the luci-app-upnp web interface and navigates to the UPnP or Status pages, the stored payload is rendered in their browser, executing the injected script. This flaw could lead to various client-side attacks, including session hijacking, credential theft, or further compromise of the administrator's system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated client gains access to the local area network (LAN) segment where the OpenWrt device is located.\u003c/li\u003e\n\u003cli\u003eThe client crafts a specially designed UPnP IGD AddPortMapping SOAP request.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript payload is embedded within the \u003ccode\u003eNewPortMappingDescription\u003c/code\u003e field of the SOAP request.\u003c/li\u003e\n\u003cli\u003eThe client sends the crafted SOAP request to the OpenWrt device's UPnP service, handled by the \u003ccode\u003eminiupnpd\u003c/code\u003e daemon.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eminiupnpd\u003c/code\u003e daemon processes the request and stores the malicious HTML content in its configuration or data store without sanitization.\u003c/li\u003e\n\u003cli\u003eAn administrator logs into the OpenWrt web interface (\u003ccode\u003eluci-app-upnp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe administrator navigates to the UPnP or Status pages, which display information including the stored port mapping descriptions.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eluci-app-upnp\u003c/code\u003e interface renders the stored malicious HTML directly in the administrator's web browser, executing the embedded JavaScript.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-61875 grants attackers the ability to execute arbitrary client-side code within the context of an administrator's browser session. This can lead to severe consequences, such as session hijacking, allowing the attacker to take over the administrator's web session, perform actions as the administrator, or steal authentication cookies. It could also facilitate credential theft through phishing techniques, browser-based cryptocurrency mining, or redirecting administrators to malicious websites. While specific victim counts are not available, OpenWrt is widely deployed on consumer and small office/home office (SOHO) routers, making a large number of devices potentially vulnerable to unauthenticated LAN-side compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-61875 by updating OpenWrt \u003ccode\u003eluci-app-upnp\u003c/code\u003e to the latest version as recommended by OpenWrt to address the cross-site scripting vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual UPnP IGD AddPortMapping SOAP requests, particularly those with unusually long or HTML-like content in the \u003ccode\u003eNewPortMappingDescription\u003c/code\u003e field, which could indicate attempts to exploit CVE-2026-61875.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-12T12:25:52Z","date_published":"2026-07-12T12:25:52Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61875-luci-app-upnp-xss/","summary":"CVE-2026-61875 details a stored cross-site scripting vulnerability in OpenWrt's luci-app-upnp that allows unauthenticated LAN clients to inject malicious JavaScript into UPnP IGD AddPortMapping SOAP requests, leading to client-side code execution in an administrator's browser when viewing specific web interface pages.","title":"CVE-2026-61875: Stored Cross-Site Scripting in OpenWrt luci-app-upnp","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61875-luci-app-upnp-xss/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-59260"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["luci-app-samba4"],"_cs_severities":["high"],"_cs_tags":["openwrt","samba","cve","rce","network","linux"],"_cs_type":"advisory","_cs_vendors":["OpenWrt"],"content_html":"\u003cp\u003eA high-severity vulnerability, CVE-2026-59260, has been identified in OpenWrt's luci-app-samba4 package, which serves as a web interface for Samba. This flaw stems from an improper \u003ccode\u003eread\u003c/code\u003e ACL that inadvertently grants \u003ccode\u003efile.exec\u003c/code\u003e permission on the \u003ccode\u003e/usr/sbin/smbd\u003c/code\u003e daemon. This misconfiguration allows authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments. Attackers can leverage this by passing arbitrary Samba global options, such as the \u003ccode\u003emessage command\u003c/code\u003e parameter, to a root \u003ccode\u003esmbd\u003c/code\u003e process. This injection ultimately triggers command execution on the underlying OpenWrt device when SMB protocol messages are processed, leading to remote code execution. This vulnerability poses a significant risk to OpenWrt systems using the vulnerable package, enabling attackers to gain full control over the device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains credentials for an authenticated delegated user on an OpenWrt device running \u003ccode\u003eluci-app-samba4\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the improper \u003ccode\u003eread\u003c/code\u003e ACL within \u003ccode\u003eluci-app-samba4\u003c/code\u003e that affects the \u003ccode\u003e/usr/sbin/smbd\u003c/code\u003e executable.\u003c/li\u003e\n\u003cli\u003eThe misconfigured ACL grants the authenticated user \u003ccode\u003efile.exec\u003c/code\u003e permission on the \u003ccode\u003e/usr/sbin/smbd\u003c/code\u003e daemon, allowing them to initiate its execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003e/usr/sbin/smbd\u003c/code\u003e process, providing specific command-line arguments that are under their control.\u003c/li\u003e\n\u003cli\u003eDuring the execution, the attacker injects malicious Samba global options, such as \u003ccode\u003e-o \u0026quot;message command = /path/to/arbitrary/script.sh\u0026quot;\u003c/code\u003e, into the \u003ccode\u003esmbd\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esmbd\u003c/code\u003e process, running with root privileges, processes subsequent SMB protocol messages containing the injected \u003ccode\u003emessage command\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe arbitrary command specified in the \u003ccode\u003emessage command\u003c/code\u003e option is then executed with root privileges on the OpenWrt device.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution (RCE), gaining full control over the compromised OpenWrt system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-59260 allows an authenticated delegated user to achieve remote code execution with root privileges on the OpenWrt device. This level of compromise grants the attacker complete control over the network device. The impact includes, but is not limited to, unauthorized access to network resources, manipulation or exfiltration of sensitive data, establishment of persistent backdoors, and the ability to pivot to other systems within the network. This could lead to significant data breaches, service disruptions, or further attacks on connected infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-59260 by updating the \u003ccode\u003eluci-app-samba4\u003c/code\u003e package on all affected OpenWrt devices immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect suspicious \u003ccode\u003esmbd\u003c/code\u003e process creations.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive process creation logging for Linux systems to capture full command-line arguments for processes like \u003ccode\u003esmbd\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-12T12:25:02Z","date_published":"2026-07-12T12:25:02Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openwrt-samba4-rce/","summary":"A vulnerability in OpenWrt's luci-app-samba4, identified as CVE-2026-59260, allows authenticated delegated users to achieve remote command execution on the Samba daemon by leveraging improper ACLs that grant `file.exec` permission on `/usr/sbin/smbd`.","title":"OpenWrt luci-app-samba4 Vulnerability Allows Remote Command Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-openwrt-samba4-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - OpenWrt","version":"https://jsonfeed.org/version/1.1"}