A critical vulnerability has been identified in the OpenWrt luci-app-https-dns-proxy package, allowing for authenticated remote code execution and local privilege escalation. The flaw resides in the setInitAction function, which fails to properly sanitize the name parameter. This lack of validation enables an authenticated user with basic access to the application to inject malicious commands that are executed with root privileges on the target router.
The exploit involves a Python-based "Root Takeover" script that authenticates via the OpenWrt UBUS RPC interface and delivers a command injection payload designed to overwrite the root password. Successful execution provides the attacker with full SSH access to the device. System administrators are urged to update their OpenWrt installations and the luci-app-https-dns-proxy software to versions released after January 17, 2026, to mitigate this risk.
Top comments (0)