A crafted WiFi SSID can trigger an XSS vulnerability in OpenWRT's LuCI web interface when an administrator opens the wireless scan page. The vulnerability exists in wireless.js within luci-mod-network, where SSID values are passed unsanitized into innerHTML. Using two access points simultaneously to overcome the 32-byte SSID length limit, an attacker can load arbitrary JavaScript in the admin session. The injected script then uses the ubus API to plant an SSH public key and enable gateway ports, resulting in persistent root SSH access with no visible indication to the admin. The fix replaces innerHTML with safe text node insertion and is available in OpenWrt 24.10.6 and 25.12.1. The attack requires no credentials and no interaction beyond the admin opening the scan page while malicious SSIDs are in range.
Table of contents
The XSS vulnerabilityOvercoming length limits with two SSIDsEscalation to rootFixDownstreamDisclosure timelineOther vendorsA broader patternReferencesSort: