Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Requires admin-level ubus session (PR:H); network-reachable endpoint (AV:N); impacts only confidentiality via sensitive file disclosure, no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, the cgi-download handler in cgi-io authorizes the requested path against the caller's ubus session file ACL before canonicalization, and rpcd session.c uses fnmatch() without FNM_PATHNAME, allowing traversal such as an allowed wildcard prefix followed by ../ to read root-readable files including /etc/shadow. This vulnerability is fixed in 25.12.5.
AnalysisAI
Path traversal in OpenWrt's cgi-io cgi-download handler (prior to 25.12.5) allows an authenticated administrator to read arbitrary root-readable files - including /etc/shadow - by exploiting a TOCTOU-style authorization flaw where ACL checks occur before path canonicalization. The rpcd session.c ACL matcher uses fnmatch() without FNM_PATHNAME, meaning a wildcard-prefixed ACL entry (e.g., /etc/config/*) can be defeated by appending ../ sequences that pass the ACL check but resolve to an out-of-scope file when open() is called. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid high-privilege ubus session token with at least one file read ACL grant covering a directory path with a wildcard (e.g., /etc/config/*) - this corresponds to PR:H in the CVSS vector and reflects admin-level access to the OpenWrt management interface. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) correctly reflects that while the confidentiality impact is high - reading /etc/shadow gives access to password hashes enabling offline cracking - the PR:H requirement is a genuine and significant barrier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained OpenWrt admin credentials - through credential stuffing, phishing, or a prior compromise - authenticates and obtains a ubus session token that includes a file read ACL for /etc/config/*. The attacker then issues a crafted HTTP request to the cgi-download endpoint specifying a path such as /etc/config/../shadow; fnmatch() matches this against /etc/config/* without FNM_PATHNAME and the ACL check passes, but open() resolves the embedded '..' and returns the contents of /etc/shadow, providing password hashes for offline cracking. |
| Remediation | Upgrade to OpenWrt 25.12.5, which introduces path canonicalization before ACL validation in both the cgi-download and main_exec handlers. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
In wlan service, there is a possible out of bounds write due to improper input validation. Rated critical severity (CVSS
An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. Rated high severity (CVS
cgi_handle_request in uhttpd in OpenWrt through 18.06.1 and LEDE through 17.01 has unauthenticated reflected XSS via the
In wlan service, there is a possible out of bounds write due to an incorrect bounds check. Rated critical severity (CVSS
An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1
An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1
Remote privilege escalation in Android WLAN AP driver via packet injection.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local es
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local es
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local es
Remote code execution in OpenWrt's mDNS daemon (versions before 24.10.6 and 25.12.1) allows unauthenticated attackers to
Remote code execution in OpenWrt mdns daemon (versions before 24.10.6 and 25.12.1) allows unauthenticated attackers to c
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44756