ASUS has released security updates to fix a critical vulnerability affecting its routers that could be abused by attackers to bypass authentication.
Known as CVE-2024-3080, this flaw has a CVSS score of 9.8 out of 10.
According to Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC), “Certain ASUS router models have an authentication bypass vulnerability, which allows unauthenticated remote attackers to log into the device.”
Another flaw addressed by ASUS is a high-severity buffer overflow issue identified as CVE-2024-3079 (CVSS score: 7.2), which could be exploited by remote attackers with administrative privileges to execute arbitrary commands on the router.
In a potential attack scenario, malicious actors could chain CVE-2024-3080 and CVE-2024-3079 to bypass authentication and run malicious code on vulnerable devices.
Both vulnerabilities affect the following products:
- ZenWiFi XT8 version 3.0.0.4.388_24609 and earlier (Fixed in 3.0.0.4.388_24621)
- ZenWiFi XT8 version V2 3.0.0.4.388_24609 and earlier (Fixed in 3.0.0.4.388_24621)
- RT-AX88U version 3.0.0.4.388_24198 and earlier (Fixed in 3.0.0.4.388_24209)
- RT-AX58U version 3.0.0.4.388_23925 and earlier (Fixed in 3.0.0.4.388_24762)
- RT-AX57 version 3.0.0.4.386_52294 and earlier (Fixed in 3.0.0.4.386_52303)
- RT-AC86U version 3.0.0.4.386_51915 and earlier (Fixed in 3.0.0.4.386_51925)
- RT-AC68U version 3.0.0.4.386_51668 and earlier (Fixed in 3.0.0.4.386_51685)
Earlier this year, ASUS also fixed another critical vulnerability, CVE-2024-3912 (CVSS score: 9.8), which could allow unauthenticated remote attackers to upload arbitrary files and execute system commands.
Users of affected ASUS routers are urged to update to the latest firmware versions to protect against potential threats.