CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-38031 – ASUS RT-AC86U - Command injection vulnerability - 1
https://notcve.org/view.php?id=CVE-2023-38031
07 Sep 2023 — ASUS RT-AC86U Adaptive QoS - Web History function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services. La función Adaptive Qos - Web History de ASUS RT-AC86U tiene un filtrado insuficiente de caracteres especiales. Un atacante remoto con privilegios de usuario normal puede aprovechar esta vulnerabilidad para realizar un ataque de in... • https://www.twcert.org.tw/tw/cp-132-7348-56989-1.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-35087 – ASUS RT-AX56U V2 & RT-AC86U - Format String - 2
https://notcve.org/view.php?id=CVE-2023-35087
21 Jul 2023 — It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by lacking validation for a specific value when calling cm_processChangedConfigMsg in ccm_processREQ_CHANGED_CONFIG function in AiMesh system. An unauthenticated remote attacker can exploit this vulnerability without privilege to perform remote arbitrary code execution, arbitrary system operation or disrupt service. This issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529. It is ... • https://www.twcert.org.tw/tw/cp-132-7249-ab2d1-1.html • CWE-134: Use of Externally-Controlled Format String •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 1CVE-2023-35086 – ASUS RT-AX56U V2 & RT-AC86U - Format String -1
https://notcve.org/view.php?id=CVE-2023-35086
21 Jul 2023 — It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by directly using input as a format string when calling syslog in logmessage_normal function, in the do_detwan_cgi module of httpd. A remote attacker with administrator privilege can exploit this vulnerability to perform remote arbitrary code execution, arbitrary system operation or disrupt service. This issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529. • https://github.com/tin-z/CVE-2023-35086-POC • CWE-134: Use of Externally-Controlled Format String •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-28702 – ASUS RT-AC86U - Command Injection
https://notcve.org/view.php?id=CVE-2023-28702
02 Jun 2023 — ASUS RT-AC86U does not filter special characters for parameters in specific web URLs. A remote attacker with normal user privileges can exploit this vulnerability to perform command injection attack to execute arbitrary system commands, disrupt system or terminate service. • https://www.twcert.org.tw/tw/cp-132-7146-ef92a-1.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-28703 – ASUS RT-AC86U - Buffer Overflow
https://notcve.org/view.php?id=CVE-2023-28703
02 Jun 2023 — ASUS RT-AC86U’s specific cgi function has a stack-based buffer overflow vulnerability due to insufficient validation for network packet header length. A remote attacker with administrator privileges can exploit this vulnerability to execute arbitrary system commands, disrupt system or terminate service. • https://www.twcert.org.tw/tw/cp-132-7147-afcf9-1.html • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.0EPSS: 0%CPEs: 188EXPL: 1CVE-2021-43702
https://notcve.org/view.php?id=CVE-2021-43702
05 Jul 2022 — ASUS RT-A88U 3.0.0.4.386_45898 is vulnerable to Cross Site Scripting (XSS). The ASUS router admin panel does not sanitize the WiFI logs correctly, if an attacker was able to change the SSID of the router with a custom payload, they could achieve stored XSS on the device. ASUS RT-A88U versión 3.0.0.4.386_45898 es vulnerable a un ataque de tipo Cross Site Scripting (XSS). El panel de administración del enrutador ASUS no desinfecta los registros de WiFI correctamente, si un atacante pudiera cambiar el SSI... • https://www.asus.com/uk/Networking-IoT-Servers/WiFi-Routers/ASUS-WiFi-Routers/RT-AC88U • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-25597 – ASUS RT-AC86U - Command Injection
https://notcve.org/view.php?id=CVE-2022-25597
07 Apr 2022 — ASUS RT-AC86U’s LPD service has insufficient filtering for special characters in the user request, which allows an unauthenticated LAN attacker to perform command injection attack, execute arbitrary commands and disrupt or terminate service. El servicio LPD de ASUS RT-AC86U, presenta un filtrado insuficiente para caracteres especiales en la petición del usuario, lo que permite a un atacante no autenticado de la LAN llevar a cabo un ataque de inyección de comandos, ejecutar comandos arbitrarios e interrumpir... • https://www.twcert.org.tw/tw/cp-132-5794-09c33-1.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-25596 – ASUS RT-AC86U - Heap-based buffer overflow
https://notcve.org/view.php?id=CVE-2022-25596
07 Apr 2022 — ASUS RT-AC56U’s configuration function has a heap-based buffer overflow vulnerability due to insufficient validation for the decryption parameter length, which allows an unauthenticated LAN attacker to execute arbitrary code, perform arbitrary operations and disrupt service. La función de configuración de ASUS RT-AC56U, presenta una vulnerabilidad de desbordamiento de búfer en la región heap de la memoria debido a que no ha sido comprobada suficientemente la longitud del parámetro de descifrado, lo que perm... • https://www.twcert.org.tw/tw/cp-132-5793-4f9d3-1.html • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-25595 – ASUS RT-AC86U - Improper Input Validation
https://notcve.org/view.php?id=CVE-2022-25595
07 Apr 2022 — ASUS RT-AC86U has improper user request handling, which allows an unauthenticated LAN attacker to cause a denial of service by sending particular request a server-to-client reply attempt. ASUS RT-AC86U, presenta un manejo inapropiado de las peticiones de los usuarios, lo que permite a un atacante de LAN no autenticado causar una denegación de servicio mediante el envío de una petición particular un intento de respuesta de servidor a cliente • https://www.twcert.org.tw/tw/cp-132-5792-3f3f5-1.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 1%CPEs: 108EXPL: 0CVE-2021-3128
https://notcve.org/view.php?id=CVE-2021-3128
12 Apr 2021 — In ASUS RT-AX3000, ZenWiFi AX (XT8), RT-AX88U, and other ASUS routers with firmware < 3.0.0.4.386.42095 or < 9.0.0.4.386.41994, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router. This occurs when a link prefix route points to a point-to-point link, a destination IPv6 address belongs to the prefix and is not a local IPv6 address, and a router advertisement is received with at least one global unique IPv6 prefix for wh... • https://www.asus.com/Networking-IoT-Servers/Whole-Home-Mesh-WiFi-System/ZenWiFi-WiFi-Systems/ASUS-ZenWiFi-AX-XT8-/HelpDesk_BIOS • CWE-834: Excessive Iteration •