ASUS RT-AX55 Routers OS Command Injection Vulnerability (CVE-2023-39780)
ASUS RT-AX55 devices contain an OS command injection vulnerability that could allow a remote, authenticated attacker to execute arbitrary commands. As represented by CVE-2023-41346.
A remote attacker, with a low-privilege account, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2025-06-23 under CISA BOD 22-01.
This is a OS Command Injection (CWE-78) vulnerability in ASUS RT-AX55 Routers. On ASUS RT-AX55 3.0.0.4.386.51598 devices, authenticated attackers can perform OS command injection via the /start_apply.htm qos_bw_rulelist parameter. NOTE: for the similar "token-generated module" issue, see CVE-2023-41345; for the similar "token-refresh module" issue, see CVE-2023-41346; for the similar "check token module" issue, see CVE-2023-41347; and for the similar "code-authentication module" issue, see CVE-2023-41348. Exploitation requires remote network access, low attack complexity, a low-privilege authenticated account, and no user interaction required.
Probably yes if any of these apply:
Active exploitation documented in the wild. Threat-research write-up: https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/1/EN.md
Manual remediation steps
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.