Root from the parking lot: OpenWRT XSS through SSID scanning (CVE-2026-32721)

mxsasha.eu · birdculture · 14 days ago · view on HN · vulnerability
0 net
Tags
browser cve xss
Entities
CVE-2019-25015 CVE-2026-32721
Root from the parking lot: OpenWRT XSS through SSID scanning (CVE-2026-32721) Root from the parking lot: OpenWRT XSS through SSID scanning (CVE-2026-32721) 5 min read | March 19, 2026 Lately, I’ve been experimenting with unusual XSS vectors. XSS (cross-site scripting) allows an attacker to execute arbitrary JavaScript in another user’s browser session. Sometimes the result is merely entertaining, sometimes the result is: Dear Sasha, excellent (and terrible) find! A crafted wifi SSID could lead to an XSS in the OpenWRT admin interface, if an admin opened the nearby wifi scan while the SSID was active. Given full access to the admin interface, I could then escalate this to a remote root shell. The XSS vulnerability OpenWRT’s LuCI web interface includes a wireless scan page that lets administrators scan for nearby networks and displays a table of visible access points, including their SSIDs. The vulnerability is in wireless.js in the luci-mod-network package. The SSID ultimately passes into innerHTML . No sanitisation is applied at any point in the data path. SSID can consist of up to 32 arbitrary bytes. The characters needed for HTML injection are all printable ASCII and pass through the entire stack without modification. This is not the first SSID injection in LuCI. CVE-2019-25015 identified the same class of bug in the wireless Join flow (Network → Wireless → Scan → Join). This finding affects the scan result list itself, which requires less interaction with the malicious network, already being visible in a scan. The attack requires: A malicious access point, broadcasting beacon frames that are received by the OpenWRT device An administrator to open the wireless scan page at the same time It does not require the administrator to connect to the malicious network, or even click on it. Visibility in the scan is sufficient. No authentication details of the attacked network are required. The attacker does not need any credentials for a device or wifi network. For further refinement, a cheap device left behind broadcasting malicious SSIDs would also work, waiting passively for an admin to open the scan page. Directional antennas could increase the physical attack range, as the communication is one way. And intentionally disrupting the network may make it more likely for an admin to open the scan page, to see if perhaps someone else started using the same channel. The attack window exists only while the malicious SSIDs are in range. Once they disappear, the risk is gone: the attack requires an admin opening the page while they were active. CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, score 8.6. Overcoming length limits with two SSIDs The XSS payload in an SSID is constrained by the 32-byte SSID length limit, and