A critical vulnerability (CVE-2024-54143, CVSS 9.3) was disclosed in OpenWrt's Attended Sysupgrade (ASU) feature, allowing attackers to distribute malicious firmware packages. Discovered by Flatt Security researcher RyotaK, the flaw involves command injection and hash collision manipulation, enabling threat actors to inject commands or serve malicious images signed with legitimate keys. The vulnerability does not require authentication to exploit, heightening the risk of supply chain attacks. OpenWrt users are urged to update to ASU version 920c8a1 immediately to mitigate the threat.