www.belgium.be Logo of the federal government

Warning: Multiple vulnerabilities resulting in RCE for Asus RT-AX55, AX56U_V2 and RT-AC86U routers

Advisory #2023-0104
Affected software: 
RT-AC86U <
RT-AX55 <
RT-AX56U_V2 <
Remote Code Execution (RCE)
CVE-2023-39238: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-39239: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-39240: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)



Three critical-severity remote code execution vulnerabilities impact ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers, potentially allowing threat actors to hijack devices if security updates are not installed. These vulnerabilities are currently not exploited in the wild.


ASUS released firmware which fixed several vulnerabilities in following WiFi routers:
  • RT-AC86U
  • RT-AX56U
  • RT-AX55
While the RT-AC86U is a WiFi5 (802.11ac) router, the other two models are WiFi6 (802.11ax) routers.
An unauthenticated remote threat actor could exploit these vulnerabilities in order to perform remote code execution (RCE).
These vulnerabilities were reported by the Taiwanese CERT. No expoitation in the wild has currently been reported. The CCB expects these vulnerabilities will be abused in the future to create botnet networks. No expoitation in the wild has currently been reported. 

Recommended Actions

The Centre for Cybersecurity Belgium strongly recommends users and system administrators to take the following actions in order to mitigate the impact of this vulnerability in the most efficient way.
Please upgrade to the vendor's recommended version (or higher) after thorough testing and keep an eye out for future security bulletins.
  • RT-AC86U: or later
  • RT-AX55: or later
  • RT-AX56U_V2: or later
ASUS released patches that address the three flaws in early August 2023 for RT-AX55, in May 2023 for AX56U_V2, and in July 2023 for RT-AC86U. These patches also fix several other remote code injection vulnerabilities considered less critical since exploitation requires device credentials.