Security Report Delivery Issue – Critical Vulnerability in OpenWrt 25.12.0-rc1

[麒麟兔]

Dear OpenWrt Admin Team, 


First, my apologies—my previous email couldn’t be delivered to mailto:contact at openwrt.org, so I’m resending this for clarity.


Thank you for your response. I understand your point: if an attacker already has root access, achieving RCE is indeed expected behavior.


However, I’d like to clarify the context of my report. In my testing, I found that many OpenWrt devices only allow root login by default and do not support creating unprivileged users (e.g., a "guest" account). This means that if an attacker compromises credentials—such as through weak or default passwords exposed online—they can log into the web management interface (e.g., LuCI) and **immediately execute arbitrary system commands directly from the admin panel**, leading to full system compromise—**without requiring SSH access at all**.


As a result, what might start as a relatively limited web application issue (e.g., credential reuse, weak authentication, or CSRF in the LuCI interface) can instantly escalate to **complete system takeover**, including the ability to add cron jobs, reverse shells, or persistent backdoors.


The core concern isn’t that “root can run code”—it’s that **OpenWrt’s default configuration equates administrative web access with unrestricted root shell privileges**, with no intermediate privilege boundary. Even basic user separation or restricting command/script execution capabilities for web-authenticated sessions could significantly reduce the impact of credential-based attacks.


I hope this better explains the risk I was trying to highlight. Happy to discuss further!


Best regards,
Zhang Xuewen