ASUS has issued a product security advisory warning customers to update the security firmware to address a critical vulnerability affecting seven of its router models.
The vulnerability, CVE-2024-3080, is a critical authentication bypass flaw that allows remote attackers to take control of the device without authentication.
Due to the fact the attackers can leverage the flaw without needing to escalate their privileges, it was designated as a 9.8 on the CVSS, according to the Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC).
ASUS listed the following routers as being impacted by the flaw:
- XT8 (ZenWiFi AX XT8)
- XT8_V2
- RT-AX88U
- RT-AX58U
- RT-AX57
- RT-AC86U
- RT-AC68U
A second vulnerability, tracked as CVE-2024-3079, is a buffer overflow flaw that could allow remote attackers with administrative privileges to execute arbitrary commands on the device
ASUS also warned that certain other models have an arbitrary firmware upload vulnerability, CVE-2024-3912, that could allow an unauthenticated attacker to execute arbitrary system commands on the device.
The affected devices were:
- DSL-N12U_C1
- DSL-N12U_D1
- DSL-N14U
- DSL-N14U_B1
- DSL-N16
- DSL-N17U
- DSL-N55U_C1
- DSL-N55U_D1
- DSL-N66U
- DSL-AC51
- DSL-AC750
- DSL-AC52U
- DSL-AC55U
- DSL-AC56U
ASUS advised customers to update their devices to the latest firmware versions available on its download portals, and if this is not possible, to disable any services that are publicly accessible via the internet such as remote access from WAN, port forwarding, DDNS, PN server, DMZ, or port trigger.
“If you turned on the Download master, login the web GUI and go to USB application → Download Master and click the update to get the latest version of Download master (3.1.0.114)"
If users cannot update Download Master, ASUS advises to ensure login and Wi-Fi passwords are secure, and that customers use strong passwords that cannot be easily guessed or brute-forced by attackers.
