The vulnerability resides in the OPKG package manager of OpenWrt that exists in the way it performs integrity checking of downloaded packages using the SHA-256 checksums embedded in the signed repository index. The vulnerability was discovered earlier this year by Guido Vranken from the ForAllSecure software company. Vulnerability could allow a remote man-in-the-middle attacker in a position to intercept the communication of a targeted device to execute arbitrary code by tricking the system into installing a malicious software update without verification.
Source: https://thehackernews.com/2020/03/openwrt-rce-vulnerability.html