External risk intelligence

OpenWrt DHCPv6 FQDN Option Vulnerability Allows HTML Injection in Admin Page.

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-62948

This vulnerability requires injecting malicious DHCPv6 lease data that only executes when an administrator views the Active DHCPv6 Leases page in the LuCI interface. Since this management portal is typically restricted to internal network access and requires authenticated administrator interaction to trigger the stored XSS, the likelihood of widespread or opportunistic exploitation is low.

Cross-site Scripting

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in OpenWrt's DHCPv6 client that could allow for the injection of malicious code into administrative interfaces when lease data is displayed. The primary risk involves the potential for unauthorized actions or data exposure if an administrator views the affected lease information. The main concern is confirming relevance and exposure.

  • Malicious code can be injected into lease data.
  • Affects administrative access to DHCP lease information.
  • Confirm relevance and exposure for affected systems.

Attack Path

How an attacker could exploit the issue

An attacker could inject malicious data into the DHCPv6 lease information, which is then displayed on the OpenWrt device's admin interface. This injection occurs because the system writes the DHCPv6 client hostname without proper escaping. When an administrator views the "Active DHCPv6 Leases" page, the injected data can be rendered as live HTML, potentially leading to a compromise of the admin session.

  • No authentication required for injection.
  • Displayed on admin lease page.
  • Compromise admin session.

Live Threat

Current exploitation, exposure, and threat context

The vulnerability could allow an attacker to inject malicious content into the Active DHCPv6 Leases administrative page displayed by LuCI. This occurs when a DHCPv6 client's Fully Qualified Domain Name (FQDN) option is written to lease files without proper escaping, leading to newline injection. When this data is rendered as live HTML by the LuCI interface, it could expose sensitive information or allow for unauthorized actions within the administrative context.

  • System lease data at risk.
  • Forged lease data can inject script.
  • Admin page could be compromised.

Operational Fix

Recommended remediation, mitigation, and detection steps

For OpenWrt devices running affected versions of odhcpd and LuCI, ownership likely falls to the embedded systems or infrastructure team managing these devices, with potential coordination needed from network or security teams if exposed externally. The first critical step is to inventory all OpenWrt devices, confirm if the LuCI web interface is accessible, and identify the business criticality of each device before planning remediation.

  • Identify device owners and exposure.
  • Verify LuCI administrative access.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is OpenWrt and its odhcpd component?

OpenWrt is a Linux-based operating system designed for embedded devices like routers and gateways. Within this ecosystem, odhcpd acts as the DHCP server and client, managing IP address assignments for connected devices. It handles network configuration tasks, such as tracking hostname information provided by clients, which is then managed and displayed through the LuCI web-based user interface.

How does CVE-2026-62948 enable HTML injection?

This vulnerability involves improper input validation, specifically categorized as CWE-79 (Cross-site Scripting) and CWE-117 (Improper Output Neutralization for Logs). Because the system writes DHCPv6 client hostnames to internal files without cleaning them, an attacker can inject newline characters to forge lease data. When the LuCI dashboard renders this unescaped data in the browser, the system treats the injected text as live HTML code rather than simple data, executing unauthorized content.

Do I need to be a DHCP user for this to trigger?

Yes, the attacker must provide a malicious FQDN hostname during the DHCPv6 handshake process. However, simply triggering the injection is not enough; the vulnerability remains dormant unless an administrator actively logs into the OpenWrt web interface and navigates to the 'Active DHCPv6 Leases' page. If the admin never views this specific status page, the injected malicious HTML will not execute in their browser session.

Is my device at risk based on Halo Surface Signal?

Halo Surface Signal indicates that while the vulnerability is critical, the risk is currently considered unlikely. This is because the attack requires two specific conditions: successful injection of malicious DHCPv6 data and an administrator viewing the compromised status page. Since the LuCI management interface is typically restricted to internal network access and requires authenticated administrator interaction, the path for exploitation is limited.

When should I update my OpenWrt software?

You should prioritize updating to OpenWrt version 25.12.5 as part of your regular maintenance cycle. Before applying the update, inventory your devices to identify which are running affected versions and confirm if they utilize the LuCI web interface. Focusing on devices where administrators frequently access the lease status pages will help you manage remediation efforts effectively and mitigate the risk to your administrative sessions.

References