Pierluigi Paganini September 06, 2023

Three critical remote code execution vulnerabilities in ASUS routers potentially allow attackers to hijack the network devices.

ASUS routers RT-AX55, RT-AX56U_V2, and RT-AC86U are affected by three critical remote code execution vulnerabilities that can potentially allow threat actors to take over the devices.

The three vulnerabilities were reported by the Taiwanese CERT, below are their descriptions:

1. CVE-2023-39238 (CVSS 9.8): ASUS RT-AX55, RT-AX56U_V2 and RT-AC86U iperf-related modules set_iperf3_svr.cgi API has a format string vulnerability. This function does not properly verify the input format string. A remote, unauthenticated attacker can exploit the flaw to gain remote code execution to perform arbitrary operations on the device or interrupt service.
2. CVE-2023-39239 (CVSS 9.8): ASUS RT-AX55, RT-AX56U_V2 and RT-AC86U have a format string vulnerability in the API of the general setting function. This function does not properly verify the input format string. A remote, unauthenticated attacker can exploit this vulnerability to gain remote code execution, perform arbitrary operations on devices or interrupt services.
3. CVE-2023-39240 (CVSS 9.8): ASUS RT-AX55, RT-AX56U_V2 and RT-AC86U iperf-related modules set_iperf3_cli.cgi API has a format string vulnerability. This function does not properly verify the input format string. Remote attackers can exploit it without permission. This vulnerability allows remote code execution to perform arbitrary operations on the device or interrupt service.

Attackers can trigger the above issues by providing specially crafted input to certain administrative API functions on the devices.

The flaws impact firmware versions 3.0.0.4.386_50460, 3.0.0.4.386_50460, and 3.0.0.4_386_51529 of the RT-AX55, RT-AX56U_V2, and RT-AC86U ASUS routers.

The vendor states that the following firmware versions address the vulnerabilities:

• RT-AX55: 3.0.0.4.386_51948 or later
• RT-AX56U_V2: 3.0.0.4.386_51948 or later
• RT-AC86U: 3.0.0.4.386_51915 or later

The vendor urges customers to apply security updates as soon as possible.

ASUS recommends turning off the remote administration (WAN Web Access) feature as a workaround.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, routers)