In the open-source Linux operating system OpenWrt, developers have fixed two security vulnerabilities. These flaws could potentially allow the injection and execution of malicious code as well as privilege escalation. The vulnerabilities are considered highly critical. Anyone using OpenWrt should therefore install the updated images.
The developers have fixed the vulnerabilities in OpenWrt version 24.10.4 and later. Snapshot builds since October 18, 2025, include the patches, while the ltq-ptem driver was corrected on October 15. According to the project, all older OpenWrt versions are vulnerable. However, OpenWrt versions such as 23.05 or 22.03 have reached end-of-life and therefore no longer receive security updates.
I believe all OpenWrt routers are currently vulnerable, and unfortunately, those running version 23.05 won’t receive a fix. Only the latest OpenWrt update fully addresses and patches these security vulnerabilities.
The vulnerability allows attackers to break out of a ujail sandbox or other restrictions. This only affects the Lantiq build targets with support for xrx200, Danube, and Amazon SoCs (System-on-Chip) from Lantiq, Intel, and MaxLinear.
Which of the GL.iNet routers provides any of the named devices? I know none.
The GL.iNet routers supporting pppoe, but no own (V)DSL Modem. So I don't think this issue will apply here.
The first issue described a local user (aka process), that could use remote code execution.
The only external dependency I know is AdGuard Home… the GL.iNet routers are pretty closed in case of third party plugins. The advice is strongly against upgrading individual packages if you don't know what you are doing.
Yes, the issue still exists. But I want to read a vector where this issue will compromise the security about home/travel router security.