OpenWrt 23.05 Authenticated RCE Enables Root Takeover of Routers via luci‑app‑https‑dns‑proxy
What Happened – A publicly released exploit (EDB‑ID 52521) demonstrates that an attacker who obtains valid, low‑privilege credentials for the luci‑app‑https‑dns‑proxy package on OpenWrt 23.05 can execute arbitrary commands as root, effectively taking over the router. The exploit leverages a command‑injection flaw in the package’s UBus RPC interface; a CVE is pending assignment.
Why It Matters for TPRM –
- Compromised routers become a foothold for lateral movement into corporate networks and IoT environments.
- Many MSPs, telecom carriers, and edge‑computing providers ship OpenWrt‑based devices to customers, creating a supply‑chain risk.
- Persistent root access can be used to exfiltrate data, launch DDoS attacks, or install ransomware on downstream assets.
Who Is Affected – Telecommunications operators, Managed Service Providers, IoT device manufacturers, enterprises that deploy OpenWrt‑based edge routers, and any third‑party that relies on the luci‑app‑https‑dns‑proxy package.
Recommended Actions –
- Inventory all OpenWrt deployments and verify the version of
luci‑app‑https‑dns‑proxy. - Apply the vendor‑released patch (or upgrade to a version released after 2026‑01‑17).
- Enforce strong, unique credentials for router admin accounts and limit ACLs to the minimum required.
- Implement network segmentation and continuous monitoring for anomalous UBus RPC traffic.
Technical Notes – The exploit requires authenticated access (a user with the https‑dns‑proxy ACL). It abuses a command‑injection vulnerability in the setInitAction RPC method, leading to remote code execution with root privileges. No CVE number has been assigned yet (pending). Affected data includes router configuration, cryptographic keys, and any traffic passing through the device. Source: Exploit Database – OpenWrt 23.05 Authenticated RCE (EDB‑52521)