CVE-2025-57389 is a reflected cross-site scripting (XSS) vulnerability affecting the /admin/system/packages endpoint in Luci OpenWRT version 18.06.2. This vulnerability arises because the endpoint improperly sanitizes user-supplied input, allowing attackers to inject malicious JavaScript code that is reflected back in the HTTP response. When a user with access to the vulnerable interface interacts with a crafted URL or payload, the malicious script executes in their browser context. This can lead to theft of session cookies, unauthorized actions performed on behalf of the user, or redirection to malicious sites. The vulnerability requires network access (AV:N), low attack complexity (AC:L), and privileges (PR:L), meaning the attacker must have some authenticated access to the device's web interface. User interaction is also required (UI:R), such as clicking a malicious link. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the vulnerable component. The vulnerability was addressed in OpenWRT version 19.07.0 by properly sanitizing inputs and preventing script injection. No known exploits are currently reported in the wild. This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

For European organizations, this vulnerability poses a moderate risk primarily to network devices running vulnerable OpenWRT versions, especially routers and gateways managed via the Luci web interface. Successful exploitation could allow attackers to hijack administrative sessions, manipulate device configurations, or pivot within the network. This could lead to compromised network integrity and confidentiality, potentially exposing sensitive internal communications or enabling further attacks. Organizations relying on OpenWRT 18.06.2 in critical infrastructure or enterprise environments may face service disruptions or data breaches if attackers exploit this flaw. The requirement for some privilege and user interaction limits mass exploitation but targeted attacks against administrators or privileged users remain a concern. Given the widespread use of OpenWRT in European ISPs, enterprises, and IoT deployments, the impact could be significant if unpatched devices are present.

European organizations should immediately verify if any network devices or infrastructure components are running Luci OpenWRT version 18.06.2 or earlier vulnerable versions. The primary mitigation is to upgrade all affected devices to OpenWRT version 19.07.0 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, organizations should restrict access to the Luci web interface to trusted networks only, implement strong authentication controls, and educate administrators to avoid clicking untrusted links. Network segmentation can limit exposure of vulnerable devices. Additionally, deploying web application firewalls (WAFs) or intrusion detection systems (IDS) with signatures for reflected XSS attempts targeting OpenWRT interfaces can provide temporary protection. Regular monitoring of device logs for suspicious activity and enforcing strict browser security policies (e.g., Content Security Policy) can further reduce risk.