OpenWRT: Updates Close Security Vulnerabilities in Router Operating System
The developers of the open-source router operating system OpenWRT have closed two security vulnerabilities considered highly risky.
(Image: Sashkin/Shutterstock.com)
In the open-source Linux operating system OpenWRT, the developers have closed two security vulnerabilities. Under certain circumstances, they allow the injection and execution of malicious code as well as privilege escalation. The vulnerabilities are considered highly risky. Therefore, anyone using OpenWRT should install the updated images.
One of the security vulnerabilities affects ubusd (Microbus Daemon). In OpenWRT, clients -- for example, daemons or applications -- communicate with services via this. It is a system for inter-process communication. In the code for processing event registrations, attackers can trigger a heap-based buffer overflow and thereby potentially execute malicious code in the context of the ubus daemon. Since the code is executed before access permission checks, all ubus clients can send such manipulated messages and exploit the vulnerability, explain the OpenWRT developers in their security advisory (CVE-2025-62526, CVSS 7.9, Risk "high"). The project does not provide further explanations on how attacks could look that would cause ubus clients to send such manipulated messages.
The other vulnerability allows for the escalation of privileges for local users. They can read and write arbitrary kernel memory through the IOCTLs of the ltq-ptm driver, which is used for the data path of the DSL modem, writes OpenWRT in the security advisory (CVE-2025-62525, CVSS 7.9, Risk "high"). OpenWRT runs as a single-user system by default, but some services are in a sandbox. The vulnerability allows attackers to break out of a ujail sandbox or other restrictions. This only affects the Lantiq build targets with support for xrx200, Danube, and Amazon SoCs (System-on-Chip) from Lantiq, Intel, and MaxLinear. DSL must be used in PTM mode for this, which is usually the case for VDSL connections, while ADSL connections typically use ATM mode, explain the programmers. They also state that the VRX518 DSL driver is not vulnerable.
Videos by heise
Updated Software Versions
The programmers have fixed the vulnerabilities in version 24.10.4 and newer of OpenWRT. Snapshot builds since October 18, 2025, contain the fixes; the ltq-ptem driver has been corrected since October 15. All older OpenWRT versions are vulnerable, writes the project. However, OpenWRT versions like 23.05 or 22.03 have reached their end-of-life and therefore no longer receive security updates.
At the end of last year, OpenWRT closed a security vulnerability in the SysUpgrade server. Attackers could have created manipulated firmware images and compromised OpenWRT devices with them.
(dmk)
