OpenWrt Vulnerability Allows Malicious Firmware Injection
/ 1 min read
🦠 Critical vulnerability in OpenWrt’s Attended Sysupgrade poses severe security risks. A newly disclosed security flaw, tracked as CVE-2024-54143, in OpenWrt’s Attended Sysupgrade (ASU) feature could allow attackers to distribute malicious firmware packages, with a critical CVSS score of 9.3. Discovered by Flatt Security researcher RyotaK, the vulnerability enables command injection and hash collisions, potentially allowing malicious images to be signed with legitimate build keys. OpenWrt maintainers have released a patch in ASU version 920c8a1, urging users to update immediately to mitigate risks. The flaw raises significant supply chain concerns, as no authentication is required for exploitation, making it crucial for users to act swiftly to protect their devices.
