CVE-2025-57389 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the /admin/system/packages endpoint of Luci OpenWRT version 18.06.2. OpenWRT is a widely used open-source Linux-based operating system primarily deployed on embedded devices such as routers. The Luci web interface provides administrative access to OpenWRT devices. This vulnerability allows an attacker to inject and execute arbitrary JavaScript code in the context of a victim user's browser when they access a specially crafted URL or payload targeting the vulnerable endpoint. Because it is a reflected XSS, the malicious script is not stored on the server but reflected off the vulnerable endpoint in the HTTP response. Successful exploitation requires the victim to interact with the crafted link, which could be delivered via phishing emails, malicious websites, or other social engineering methods. The arbitrary JavaScript execution can lead to session hijacking, credential theft, unauthorized actions on behalf of the user, or further exploitation of the victim's browser environment. The vulnerability affects the administrative interface, which is typically accessible only to authenticated users or users on the local network, limiting the attack surface to some extent. However, many OpenWRT devices have exposed administrative interfaces due to misconfigurations or remote management enabled, increasing risk. No CVSS score has been assigned yet, and no known exploits have been reported in the wild. There is no information about patches or fixed versions, so affected users should assume the vulnerability is present in version 18.06.2 and take immediate mitigation steps.

For European organizations, this vulnerability poses a significant risk particularly to enterprises, ISPs, and critical infrastructure operators that rely on OpenWRT-based devices for network routing and management. Exploitation could lead to compromise of administrative sessions, allowing attackers to manipulate device configurations, intercept or redirect network traffic, or pivot into internal networks. This could result in data breaches, disruption of network services, or facilitation of further attacks such as malware deployment or lateral movement. The impact is heightened in environments where administrative interfaces are exposed externally or where users have elevated privileges. Given the widespread use of OpenWRT in small office/home office (SOHO) and enterprise-grade routers across Europe, the vulnerability could affect a broad range of organizations. Additionally, the ability to execute arbitrary scripts in a browser context could be leveraged to target specific users within organizations, potentially enabling espionage or sabotage. The lack of a patch increases the urgency for temporary mitigations to reduce exposure.

1. Immediately restrict access to the Luci administrative interface by implementing network-level controls such as firewall rules to limit access to trusted IP addresses or VPN-only access. 2. Disable remote administration features on OpenWRT devices unless absolutely necessary. 3. Educate users and administrators to avoid clicking on suspicious links or opening untrusted emails that could deliver the malicious payload. 4. Monitor network traffic and device logs for unusual access patterns or attempts to access the /admin/system/packages endpoint with suspicious parameters. 5. Where possible, upgrade to a newer, patched version of OpenWRT or Luci once available. If no patch is currently available, consider applying custom input validation or web application firewall (WAF) rules to detect and block reflected XSS payloads targeting this endpoint. 6. Employ browser security features such as Content Security Policy (CSP) to limit the impact of injected scripts. 7. Regularly audit device configurations to ensure administrative interfaces are not exposed unnecessarily and that strong authentication mechanisms are in place.