Security News > 2023 > September > ASUS routers vulnerable to critical remote code execution flaws
Three critical-severity remote code execution vulnerabilities impact ASUS RT-AX55, RT-AX56U V2, and RT-AC86U routers, potentially allowing threat actors to hijack devices if security updates are not installed.
The flaws, which all have a CVSS v3.1 score of 9.8 out of 10.0, are format string vulnerabilities that can be exploited remotely and without authentication, potentially allowing remote code execution, service interruptions, and performing arbitrary operations on the device.
Format string flaws are security problems arising from unvalidated and/or unsanitized user input within the format string parameters of certain functions.
Attackers exploit these flaws using specially crafted input sent to the vulnerable devices.
ASUS released patches that address the three flaws in early August 2023 for RT-AX55, in May 2023 for AX56U V2, and in July 2023 for RT-AC86U. Users who haven't applied security updates since then should consider their devices vulnerable to attacks and prioritize the action as soon as possible.
As many consumer router flaws target the web admin console, it is strongly advised to turn off the remote administration feature to prevent access from the internet.
News URL
Related news
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution (source)
- Rsync vulnerabilities allow remote code execution on servers, patch quickly! (source)
- Meta's Llama Framework Flaw Exposes AI Systems to Remote Code Execution Risks (source)
- Netgear warns users to patch critical WiFi router vulnerabilities (source)
- New “whoAMI” Attack Exploits AWS AMI Name Confusion for Remote Code Execution (source)
- Juniper patches critical auth bypass in Session Smart routers (source)
- Critical flaws in Mongoose library expose MongoDB to data thieves, code execution (source)