CVE-2024-0401

Summary

ASUS routers supporting custom OpenVPN profiles are vulnerable to a code execution vulnerability. An authenticated and remote attacker can execute arbitrary operating system commands by uploading a crafted OVPN profile. Known affected routers include ASUS ExpertWiFi, ASUS RT-AX55, ASUS RT-AX58U, ASUS RT-AC67U, ASUS RT-AC68R, ASUS RT-AC68U, ASUS RT-AX86, ASUS RT-AC86U, ASUS RT-AX88U, and ASUS RT-AX3000.

Affected Software

VendorProductVersion RangeStatus
ASUSExpertWiFi0 < 3.0.0.6.102_44544affected
ASUSRT-AX550 < 3.0.0.4.386_52303affected
ASUSRT-AX58U0 < 3.0.0.4.388_24762affected
ASUSRT-AC67U0 < 3.0.0.4.386_51685affected
ASUSRT-AC68R0 < 3.0.0.4.386_51685affected
ASUSRT-AC68U0 < 3.0.0.4.386_51685affected
ASUSRT-AX86 Series0 < 3.0.0.4.388_24243affected
ASUSRT-AC86U0 < 3.0.0.4.386_51925affected
ASUSRT-AX88U0 < 3.0.0.4.388_24209affected
ASUSRT-AX30000 < 3.0.0.4.388_24762affected

Weaknesses

  • CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References