<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>OpenWrt - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/openwrt/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 12 Jul 2026 12:26:40 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/openwrt/feed.xml" rel="self" type="application/rss+xml"/><item><title>LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting Vulnerability (CVE-2026-61876)</title><link>https://feed.craftedsignal.io/briefs/2026-07-luci-dhcpv6-xss/</link><pubDate>Sun, 12 Jul 2026 12:26:40 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-luci-dhcpv6-xss/</guid><description>LuCI versions are vulnerable to CVE-2026-61876, a stored Cross-Site Scripting (XSS) flaw in their DHCPv6 lease hostname rendering logic, allowing an adjacent network attacker to inject malicious HTML markup that executes in an administrator's browser when viewing DHCP lease status pages.</description><content:encoded><![CDATA[<p>CVE-2026-61876 identifies a high-severity stored Cross-Site Scripting (XSS) vulnerability affecting LuCI, the default web interface for OpenWrt-based routers and network devices. This flaw arises from LuCI's failure to properly encode DHCPv6 lease hostnames before displaying them in administrative status tables. An attacker with adjacent network access can craft a malicious DHCPv6 Client FQDN containing script tags or other HTML markup. When an administrator subsequently views the DHCPv6 lease status page within the LuCI web interface, the injected malicious code executes in their browser. This client-side code execution can lead to various compromises within the administrative session, including session hijacking, credential theft, or unauthorized actions within the LuCI interface.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains presence on the same adjacent network segment as the vulnerable LuCI-managed OpenWrt device.</li>
<li>The attacker crafts a DHCPv6 Client Fully Qualified Domain Name (FQDN) containing a malicious XSS payload, such as <code>&lt;script&gt;alert(document.domain)&lt;/script&gt;</code>.</li>
<li>The attacker sends a DHCPv6 request to the OpenWrt device, including the malicious FQDN in the request.</li>
<li>The OpenWrt device, running the LuCI web interface, processes the DHCPv6 request and stores the malicious FQDN in its internal DHCP lease table.</li>
<li>An administrator logs into the LuCI web interface and navigates to the DHCPv6 lease status page to view network client information.</li>
<li>The LuCI web interface queries the stored DHCP lease data, retrieves the malicious FQDN, and constructs an HTML response for the administrator's browser.</li>
<li>Due to improper encoding, LuCI embeds the attacker's malicious FQDN directly into the HTML without sanitization.</li>
<li>The administrator's browser renders the page, executing the injected script within the context of the LuCI administrative interface, potentially leading to session hijacking or further compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-61876 results in client-side code execution within an administrator's browser while they are logged into the LuCI web interface. This can lead to session hijacking, allowing the attacker to take over the administrator's session and perform actions on the OpenWrt device. Attackers could also steal credentials, deface the administrative interface, or redirect the administrator to malicious websites. Such compromise of a router's administrative interface could grant attackers control over network configuration, traffic routing, and potentially provide a foothold for further attacks against the internal network.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-61876 by updating LuCI to a version that properly encodes DHCPv6 lease hostnames. Refer to the OpenWrt project's advisories for specific version updates.</li>
<li>Implement network segmentation to restrict DHCPv6 requests to trusted devices and prevent adjacent network attackers from reaching the router's DHCP service.</li>
<li>Educate administrators on the risks of XSS and suspicious behavior when interacting with web interfaces, even trusted ones.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xss</category><category>web-vulnerability</category><category>network-device</category><category>router</category><category>dhcpv6</category></item><item><title>CVE-2026-61875: Stored Cross-Site Scripting in OpenWrt luci-app-upnp</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61875-luci-app-upnp-xss/</link><pubDate>Sun, 12 Jul 2026 12:25:52 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61875-luci-app-upnp-xss/</guid><description>CVE-2026-61875 details a stored cross-site scripting vulnerability in OpenWrt's luci-app-upnp that allows unauthenticated LAN clients to inject malicious JavaScript into UPnP IGD AddPortMapping SOAP requests, leading to client-side code execution in an administrator's browser when viewing specific web interface pages.</description><content:encoded><![CDATA[<p>CVE-2026-61875 identifies a critical stored cross-site scripting (XSS) vulnerability within <code>luci-app-upnp</code>, a component of OpenWrt, an embedded operating system primarily used on routers. This vulnerability allows unauthenticated clients on the local area network (LAN) to inject arbitrary JavaScript code. The attack vector involves crafting a malicious UPnP IGD AddPortMapping SOAP request and embedding the JavaScript payload within the <code>NewPortMappingDescription</code> field. The <code>miniupnpd</code> daemon, responsible for handling UPnP requests, stores this malicious HTML without proper output encoding. Subsequently, when an administrator accesses the luci-app-upnp web interface and navigates to the UPnP or Status pages, the stored payload is rendered in their browser, executing the injected script. This flaw could lead to various client-side attacks, including session hijacking, credential theft, or further compromise of the administrator's system.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated client gains access to the local area network (LAN) segment where the OpenWrt device is located.</li>
<li>The client crafts a specially designed UPnP IGD AddPortMapping SOAP request.</li>
<li>The malicious JavaScript payload is embedded within the <code>NewPortMappingDescription</code> field of the SOAP request.</li>
<li>The client sends the crafted SOAP request to the OpenWrt device's UPnP service, handled by the <code>miniupnpd</code> daemon.</li>
<li>The <code>miniupnpd</code> daemon processes the request and stores the malicious HTML content in its configuration or data store without sanitization.</li>
<li>An administrator logs into the OpenWrt web interface (<code>luci-app-upnp</code>).</li>
<li>The administrator navigates to the UPnP or Status pages, which display information including the stored port mapping descriptions.</li>
<li>The <code>luci-app-upnp</code> interface renders the stored malicious HTML directly in the administrator's web browser, executing the embedded JavaScript.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploitation of CVE-2026-61875 grants attackers the ability to execute arbitrary client-side code within the context of an administrator's browser session. This can lead to severe consequences, such as session hijacking, allowing the attacker to take over the administrator's web session, perform actions as the administrator, or steal authentication cookies. It could also facilitate credential theft through phishing techniques, browser-based cryptocurrency mining, or redirecting administrators to malicious websites. While specific victim counts are not available, OpenWrt is widely deployed on consumer and small office/home office (SOHO) routers, making a large number of devices potentially vulnerable to unauthenticated LAN-side compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-61875 by updating OpenWrt <code>luci-app-upnp</code> to the latest version as recommended by OpenWrt to address the cross-site scripting vulnerability.</li>
<li>Monitor network traffic for unusual UPnP IGD AddPortMapping SOAP requests, particularly those with unusually long or HTML-like content in the <code>NewPortMappingDescription</code> field, which could indicate attempts to exploit CVE-2026-61875.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cross-site-scripting</category><category>xss</category><category>openwrt</category><category>router</category><category>web-vulnerability</category><category>client-side-execution</category></item><item><title>OpenWrt luci-app-samba4 Vulnerability Allows Remote Command Execution</title><link>https://feed.craftedsignal.io/briefs/2026-07-openwrt-samba4-rce/</link><pubDate>Sun, 12 Jul 2026 12:25:02 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openwrt-samba4-rce/</guid><description>A vulnerability in OpenWrt's luci-app-samba4, identified as CVE-2026-59260, allows authenticated delegated users to achieve remote command execution on the Samba daemon by leveraging improper ACLs that grant `file.exec` permission on `/usr/sbin/smbd`.</description><content:encoded><![CDATA[<p>A high-severity vulnerability, CVE-2026-59260, has been identified in OpenWrt's luci-app-samba4 package, which serves as a web interface for Samba. This flaw stems from an improper <code>read</code> ACL that inadvertently grants <code>file.exec</code> permission on the <code>/usr/sbin/smbd</code> daemon. This misconfiguration allows authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments. Attackers can leverage this by passing arbitrary Samba global options, such as the <code>message command</code> parameter, to a root <code>smbd</code> process. This injection ultimately triggers command execution on the underlying OpenWrt device when SMB protocol messages are processed, leading to remote code execution. This vulnerability poses a significant risk to OpenWrt systems using the vulnerable package, enabling attackers to gain full control over the device.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains credentials for an authenticated delegated user on an OpenWrt device running <code>luci-app-samba4</code>.</li>
<li>The attacker leverages the improper <code>read</code> ACL within <code>luci-app-samba4</code> that affects the <code>/usr/sbin/smbd</code> executable.</li>
<li>The misconfigured ACL grants the authenticated user <code>file.exec</code> permission on the <code>/usr/sbin/smbd</code> daemon, allowing them to initiate its execution.</li>
<li>The attacker executes the <code>/usr/sbin/smbd</code> process, providing specific command-line arguments that are under their control.</li>
<li>During the execution, the attacker injects malicious Samba global options, such as <code>-o &quot;message command = /path/to/arbitrary/script.sh&quot;</code>, into the <code>smbd</code> process.</li>
<li>The <code>smbd</code> process, running with root privileges, processes subsequent SMB protocol messages containing the injected <code>message command</code>.</li>
<li>The arbitrary command specified in the <code>message command</code> option is then executed with root privileges on the OpenWrt device.</li>
<li>The attacker achieves remote code execution (RCE), gaining full control over the compromised OpenWrt system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-59260 allows an authenticated delegated user to achieve remote code execution with root privileges on the OpenWrt device. This level of compromise grants the attacker complete control over the network device. The impact includes, but is not limited to, unauthorized access to network resources, manipulation or exfiltration of sensitive data, establishment of persistent backdoors, and the ability to pivot to other systems within the network. This could lead to significant data breaches, service disruptions, or further attacks on connected infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-59260 by updating the <code>luci-app-samba4</code> package on all affected OpenWrt devices immediately.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM to detect suspicious <code>smbd</code> process creations.</li>
<li>Enable comprehensive process creation logging for Linux systems to capture full command-line arguments for processes like <code>smbd</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>openwrt</category><category>samba</category><category>cve</category><category>rce</category><category>network</category><category>linux</category></item></channel></rss>