ASUS has sent patches to fix a critical security issue affecting its routers that could be utilized by malicious entities to bypass authentication.
Identified as CVE-2024-3080, the security weakness has a CVSS score of 9.8 out of 10.0.
“Specific ASUS router models contain an authentication bypass flaw, enabling unauthenticated remote attackers to access the device,” as described by the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC).
Also addressed by the Taiwanese manufacturer is a critical buffer overflow vulnerability logged as CVE-2024-3079 (CVSS score: 7.2) which could be exploited by remote attackers with administrative privileges to perform unauthorized commands on the device.
In a theoretical attack scenario, a malicious actor could combine CVE-2024-3080 and CVE-2024-3079 to bypass authentication and execute malicious code on vulnerable devices.
Both issues affect the following products –
- ZenWiFi XT8 version 3.0.0.4.388_24609 and earlier (Fixed in 3.0.0.4.388_24621)
- ZenWiFi XT8 version V2 3.0.0.4.388_24609 and earlier (Fixed in 3.0.0.4.388_24621)
- RT-AX88U version 3.0.0.4.388_24198 and earlier (Fixed in 3.0.0.4.388_24209)
- RT-AX58U version 3.0.0.4.388_23925 and earlier (Fixed in 3.0.0.4.388_24762)
- RT-AX57 version 3.0.0.4.386_52294 and earlier (Fixed in 3.0.0.4.386_52303)
- RT-AC86U version 3.0.0.4.386_51915 and earlier (Fixed in 3.0.0.4.386_51925)
- RT-AC68U version 3.0.0.4.386_51668 and earlier (Fixed in 3.0.0.4.386_51685)
Earlier this January, ASUS dealt with another critical vulnerability logged as (CVE-2024-3912, CVSS score: 9.8) that could allow an unauthenticated remote attacker to upload random files and execute system commands on the device.
Users of affected routers are encouraged to upgrade to the latest version to protect against potential risks.
About Author
