If you have an Asus router and haven’t updated it recently, beware—you’re possibly an open target for remote attacks. Several critical flaws announced today allow hackers to execute code and arbitrary operations on affected routers not running current firmware.
As reported by Bleeping Computer, three models (the Asus RT-AX55, RT-AX56U_V2, and RT-AC86U) are vulnerable to issues CVE-2023-39238, CVE-2023-39239, and CVE-2023-39240, which relate to APIs that handle administrative functions. These format string flaws let through user input that isn’t verified—or in other words, input that shouldn’t be allowed can slip through. A remote attacker can then remotely feed specifically crafted text to an affected router to run their own code, interrupt operations, or execute arbitrary operations.
On the CVSS v3.0 scale, these vulnerabilities are rated as a 9.8 out of 10, which puts them in the Critical category (anything above a 9.0). While this scale does not relate to the resulting risk from a flaw, it indicates how severe the issue is.
If you have one of the affected routers, here are the firmware versions you’ll want to update to:
- RT-AX55: 3.0.0.4.386_51948 or later
- RT-AX56U_V2: 3.0.0.4.386_51948 or later
- RT-AC86U: 3.0.0.4.386_51915 or later
These patches were all released this year, with the AX56U_V2 the first to get its updated firmware in May 2023, the RT-AC86U in July 2023, and the RT-AX55 in August 2023.
If your router’s affected, you’ll obviously want to check your firmware version right away. But after verifying (and updating, as needed), you should probably shut off remote access to your router, too. Since most people set up their router and then forget about it, you won’t need that feature, and you’ll stay better protected with it off. It’s just one of the core pieces of advice we tech journalists give about securing your home network properly.