Asus Issues Critical Security Patches for More Than a Dozen Routers

Anyone reading this website by way of an Asus router should take note—the company has released essential updates for many of its routers. They’re not essential because of some new feature or technology, though. Asus says owners of its routers should install the updates as soon as possible because they address a raft of vulnerabilities that could leave your network and devices exposed.

There are a total of nine security flaws addressed in the updates, and some of them are high-severity and even critical. The most dangerous flaws are CVE-2022-26376 and CVE-2018-1160. The first is a memory corruption bug in the company’s Asuswrt firmware that could allow attackers to manipulate system memory to trigger denial-of-services states or run arbitrary code.

The second critical update, as the CVE code shows, is from 2018. This bug is caused by an out-of-bounds error in the Netatalk protocol, which is used for file sharing with Apple computers. This flaw can be exploited to unlock remote code execution. It might have taken Asus time to realize its routers were vulnerable, but at least there’s an update now.

The security patch rollup is available for more than a dozen Asus routers, including the ZenWifi XT9, TUF Gaming AX6000, ROG Rapture GT-AXE16000, RT-AX86U, and more. See the Asus security advisory page for a full list of models. Asus recommends installing the new firmware as soon as possible. While it doesn’t mention any known exploits targeting Asus routers, disclosing the bugs as part of the update will draw attention from potential attackers. Here’s the full changelog.

1. Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376

2. Fixed DoS vulnerabilities in firewall configuration pages.

3. Fixed DoS vulnerabilities in httpd.

4. Fixed information disclosure vulnerability.

5. Fixed null pointer dereference vulnerabilities.

6. Fixed the cfg server vulnerability.

7. Fixed the vulnerability in the logmessage function.

8. Fixed Client DOM Stored XSS

9. Fixed HTTP response splitting vulnerability

10. Fixed status page HTML vulnerability.

11. Fixed HTTP response splitting vulnerability.

12. Fixed Samba related vulerabilities.

13. Fixed Open redirect vulnerability.

14. Fixed token authentication security issues.

15. Fixed security issues on the status page.

16. Enabled and supported ECDSA certificates for Let’s Encrypt.

17. Enhanced protection for credentials.

18. Enhanced protection for OTA firmware updates

The updates are available from your router’s management page, as well as on the support pages for each model. Plus, Asus has included links for each update in the security advisory. The company really does want to make it easy to update these devices. If you choose not to update, you could be in for a world of hurt—these security holes are no joke, and Asus products have been targeted by botnets in the past.

Even the latest XT9 Asus mesh system is included in the patches.
Credit: Asus

Asus says anyone without the new patch should take extreme measures to protect their network. Basically, you’d have to disable all WAN-side services, including remote access from WAN, port forwarding, DDNA, VPN servers, DMZ, and port trigger.