Warning: Multiple vulnerabilities resulting in RCE for Asus RT-AX55, AX56U_V2 and RT-AC86U routers
Reference:
Advisory #2023-0104
Version:
1.0
Affected software:
RT-AC86U < 3.0.0.4.386_51915
RT-AX55 < 3.0.0.4.386_51948
RT-AX56U_V2 < 3.0.0.4.386_51948
Type:
Remote Code Execution (RCE)
CVE/CVSS:
CVE-2023-39238: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-39239: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-39240: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Date:
08/09/2023
Sources
Risks
Three critical-severity remote code execution vulnerabilities impact ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers, potentially allowing threat actors to hijack devices if security updates are not installed. These vulnerabilities are currently not exploited in the wild.
Description
ASUS released firmware which fixed several vulnerabilities in following WiFi routers:
- RT-AC86U
- RT-AX56U
- RT-AX55
While the RT-AC86U is a WiFi5 (802.11ac) router, the other two models are WiFi6 (802.11ax) routers.
An unauthenticated remote threat actor could exploit these vulnerabilities in order to perform remote code execution (RCE).
These vulnerabilities were reported by the Taiwanese CERT. No expoitation in the wild has currently been reported. The CCB expects these vulnerabilities will be abused in the future to create botnet networks. No expoitation in the wild has currently been reported.
Recommended Actions
The Centre for Cybersecurity Belgium strongly recommends users and system administrators to take the following actions in order to mitigate the impact of this vulnerability in the most efficient way.
Patch
Please upgrade to the vendor's recommended version (or higher) after thorough testing and keep an eye out for future security bulletins.
- RT-AC86U: 3.0.0.4.386_51915 or later
- RT-AX55: 3.0.0.4.386_51948 or later
- RT-AX56U_V2: 3.0.0.4.386_51948 or later
ASUS released patches that address the three flaws in early August 2023 for RT-AX55, in May 2023 for AX56U_V2, and in July 2023 for RT-AC86U. These patches also fix several other remote code injection vulnerabilities considered less critical since exploitation requires device credentials.