Asus releases a patch that fixes critical vulnerabilities in eighteen different routers. The manufacturer recommends everyone to install the update immediately.

Eighteen routers from Asus are vulnerable to various vulnerabilities. Asus is therefore releasing a patch for the firmware that should solve all the problems in one fell swoop. The patch fixes a total of nine bugs, including two critical ones.

Critical Errors

The first critical error is CVE-2022-26376, which has a score of 9.8. The vulnerability allows an attacker to manipulate Asuswrt firmware memory via a malicious HTTP request. Eventually, this allows hackers to gain access to the router to run code.

CVE-2018-1160 also has a score of 9.8 and is therefore critical. This vulnerability also allows attackers to run their own code on the router. This is done by a outside the limitsVulnerability in Netatalk. This bug is quite old and it’s quite surprising that Asus is only now providing a fix.

No quick patch

Typically, Asus has taken quite a while to update the firmware of vulnerable routers, but that doesn’t mean you shouldn’t install the patch urgently. With the Asuswrt firmware vulnerabilities now publicly known, it is only a matter of time before hackers start exploiting them. This can be done, for example, by taking over routers and integrating them into a botnet.

Asus recommends that anyone not installing the patch immediately disable all services on the WAN side. Think remote access, port forwarding, DMZ and more. This reduces the weak points. The firmware of the following routers is vulnerable:

• GT6
• GT-AXE16000
• GT-AX11000 PRO
• GT-AX6000
• GT-AX11000
• GS-AX5400
• GS-AX3000
• XT9
• XT8
• XT8 V2
• RT-AX86U PRO
• RT-AX86U
• RT-AX86S
• RT-AX82U
• RT-AX58U
• RT-AX3000
• TUF-AX6000
• TUF-AX5400