The OpenWrt Project, an open-source initiative providing a Linux-based operating system for embedded devices, has pushed a critical patch to cover flaws that expose its firmware update server to malicious exploitation. The vulnerability, tracked as CVE-2024-54143, affects the OpenWrt sys upgrade server and exposes users to potential risks of installing compromised firmware images. An OpenWrt bulletin explains the problem: “Due to the combination of command injection in the image builder and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes a hash collision.”