Affected Vendors
- OpenWrt / DD-WRT: 5 CVEs (2 critical, 2 high, 1 medium)
- Linksys: 1 CVE (1 high)
- TP-Link: 1 CVE (1 medium)
Critical Vulnerabilities
This week brings two critical stack-based buffer overflow vulnerabilities in OpenWrt's mDNS daemon that demand immediate attention. CVE-2026-30871 and CVE-2026-30872 (both CVSS 9.8) affect OpenWrt versions prior to 24.10.6 and 25.12.1, with flaws in the mdns daemon's packet parsing functions. These vulnerabilities could allow remote attackers to execute arbitrary code without authentication—a serious risk for exposed routers on internet-facing networks.
Action required: If you're running OpenWrt on production routers, prioritize upgrading to version 24.10.6 or 25.12.1 immediately. If you manage mixed firmware environments, audit your inventory for affected versions and schedule updates this week.
High-Severity Issues
CVE-2026-32721 (CVSS 8.6) is a stored cross-site scripting (XSS) vulnerability in LuCI, OpenWrt's web configuration interface. The flaw exists in the wireless scan modal where SSID values aren't properly sanitized before rendering. This could allow an attacker to inject malicious scripts that execute in administrators' browsers—potentially leading to credential theft or unauthorized configuration changes.
CVE-2026-30874 (CVSS 7.8) affects the hotplug_call function in OpenWrt versions prior to 24.10.6, allowing attackers to bypass environment variable restrictions. This could facilitate privilege escalation or system compromise depending on how the function is leveraged in your deployment.
CVE-2026-4558 (CVSS 8.8) targets Linksys MR9600 firmware version 2.0.6.206937. The vulnerability in the SmartConnect.lua configuration function allows manipulation of wireless SSID and password parameters, potentially enabling unauthorized network access or rogue AP creation.
Medium-Severity Vulnerabilities
CVE-2026-3227 (CVSS 6.8) is a command injection flaw in TP-Link routers (TL-WR802N v4, TL-WR841N v14, TL-WR840N v6). Improper sanitization of OS command inputs could allow attackers to execute arbitrary shell commands if they gain access to the web interface.
CVE-2026-30873 (CVSS 4.9) is a low-risk lexical analysis vulnerability in OpenWrt's jp_get_token function affecting versions prior to 24.10.6 and 25.12.1. While lower impact, it should be addressed as part of routine patching cycles.
Recommendations
- OpenWrt users: Update to 24.10.6 or 25.12.1 this week to patch all five disclosed vulnerabilities.
- Linksys MR9600 administrators: Check for firmware updates and test in a controlled environment before production deployment.
- TP-Link users: Review available firmware patches for affected models and restrict web interface access to trusted networks in the interim.
- All administrators: Monitor RouterCVE for patches and consider implementing network segmentation to limit router exposure.