Critical security vulnerabilities in ASUS routers -- update immediately
Three ASUS Wi-Fi routers are vulnerable to three critically rated remote code execution vulnerabilities that can be exploited by malicious actors to take over the devices.
The affected wireless routers are the ASUS RT-AX55, RT-AX56U_V2 and the RT-AC86U router. All three models are still available on the ASUS website and at retailers.
- The RT-AC86U is a dual-band gigabit Wi-Fi gaming router. It supports ASUS' AiMesh system and several other features designed to improve the gaming experience or security.
- The RT-AX55 is a dual-band WiFi 6 router that is also supporting ASUS' AiMesh WiFi system.
- The RT-AX56U_V2 is a high-end dual-band WiFi 6 gaming router that is compatible with Sony's PS5, supports Mesh WiFi and various other gaming related features, including a gaming port.
The three vulnerabilities have a CVSS rating of 9.8 out of 10. It is one of the highest ratings and explained by the nature of the security issues. All three vulnerabilities are so-called format string vulnerabilities.
It means, in this particular case, that malicious actors may take over the ASUS router remotely and without authentication. All it takes for that is to send a specially crafted instruction to the vulnerable device, which would provide the attacker with control over it.
This type of vulnerability may be caused by improper validation of instructions, e.g., user input.
The vulnerabilities and patches
The routers are affected by the following three vulnerabilities:
The links do not provide a wealth of information on the issues, only that all three are input format string vulnerabilities in the API module ‘ser_iperf3_svr.cgi’ and general setting function.
ASUS has published updates for all three affected routers. Owners of the devices may want to install the firmware updates immediately to protect their devices against potential attacks that target the issues.
Here are the relevant links:
- RT-AX55 -- Download and install the latest firmware update from the ASUS website. At the time of writing, it is version 3.0.0.4.386_52041, released on August 31, 2023. It will be replaced by newer updates eventually, which should then be installed.
- RT-AX56U -- The latest firmware update is version 3.0.0.4.386.51665, released May 18, 2023. It is unclear if this addresses the issue, as the CVE lists 3.0.0.4.386_51948 as the minimum version.
- RT-AC86U - The firmware update 3.0.0.4.386_51915 addresses the reported security issues.
Users who use one of the three ASUS routers may want to install the latest firmware on their device to protect it from potential attacks.
Bleeping Computer, which reported the issue first, also recommends disabling remote administration capabilities, if not required, which should prevent future remote attacks against the router.
Now You: which router(s) do you use, and why?
Which router do I use, and why? I use the RT-AX56_v2 because of its Wi-Fi 6 capabilities (stable and speedy connection) primarily to connect to ShadowPC with my Meta Quest 2 VR headset directly via Virtual Desktop (no intermediary PC). I also use the built in VPN functionality with AES-NI to bypass the double NAT issue caused by my provider.