CVE-2022-41435 is a stored cross-site scripting (XSS) vulnerability identified in the OpenWRT LuCI web interface, specifically in the /system/sshkeys.js component. OpenWRT is a widely used open-source Linux-based operating system for embedded devices, primarily routers. LuCI is its web-based configuration interface. The vulnerability arises because the application improperly sanitizes user-supplied input in the public key comments field when managing SSH keys. An attacker can craft malicious public key comments containing executable JavaScript or HTML code. When an administrator or user accesses the affected LuCI interface page that displays these SSH keys, the malicious script is executed in their browser context. This stored XSS can lead to session hijacking, credential theft, or unauthorized actions performed with the privileges of the logged-in user. The CVSS 3.1 base score is 5.4 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, but needs privileges (authenticated user) and user interaction (viewing the malicious key). The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable module. No known exploits in the wild have been reported, and no official patches or vendor advisories are linked in the provided data. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw.

For European organizations, the impact of this vulnerability depends largely on the deployment of OpenWRT-based devices with LuCI interfaces in their network infrastructure. Many small to medium enterprises and some larger organizations use OpenWRT routers or embedded devices for network management, especially in environments requiring customizable or cost-effective networking solutions. Exploitation of this vulnerability could allow attackers to execute arbitrary scripts in the context of network administrators or users managing these devices, potentially leading to theft of administrative credentials, unauthorized configuration changes, or pivoting deeper into the network. This could compromise network integrity and confidentiality, disrupt operations, and facilitate further attacks such as lateral movement or data exfiltration. Given that exploitation requires authenticated access and user interaction, the threat is more relevant in environments where multiple users have access to the LuCI interface or where attackers have obtained some level of user credentials. The lack of known exploits reduces immediate risk but does not eliminate it, especially as attackers may develop exploits over time. The medium severity suggests a moderate risk that should be addressed promptly to prevent escalation.

1. Immediate mitigation should include restricting access to the LuCI web interface to trusted administrators only, ideally via network segmentation or VPN access, to reduce exposure. 2. Implement strict input validation and sanitization on the public key comments field to neutralize any embedded scripts; if possible, update to a patched version of OpenWRT LuCI once available. 3. Monitor and audit SSH key entries regularly for suspicious or malformed comments that could indicate attempted exploitation. 4. Enforce strong authentication mechanisms for accessing the LuCI interface, such as multi-factor authentication, to reduce the risk of unauthorized access. 5. Educate administrators about the risks of clicking on or viewing untrusted SSH key comments and encourage cautious behavior. 6. If patching is not immediately possible, consider disabling the SSH key management feature in LuCI or using alternative management methods until a fix is applied. 7. Keep OpenWRT and LuCI installations up to date with the latest security releases and monitor vendor advisories for patches addressing this vulnerability.