CVE-2017-15655
Description
Multiple buffer overflows in ASUS asuswrt HTTPd allow RCE as admin when visiting specific pages; fixed in 3.0.0.4.378.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple buffer overflows in ASUS asuswrt HTTPd allow RCE as admin when visiting specific pages; fixed in 3.0.0.4.378.
Vulnerability
Multiple buffer overflow vulnerabilities exist in the HTTPd server of ASUS asuswrt firmware versions up to and including 3.0.0.4.376.X. The bug is triggered via a crafted Host: header, which overflows a buffer and overwrites the SystemCmd variable. The vulnerable code path is reachable when an authenticated administrator visits certain pages, such as the network tools tab. All models running asuswrt <=3.0.0.4.376.X are affected; some end-of-life routers (e.g., RT-N65R, RT-N65U) receive this version as their last update and therefore remain vulnerable [1].
Exploitation
An attacker needs only to send an HTTP request with an overly long Host: header to the router's management interface. No authentication is required for the initial request, but exploitation completes only after an authenticated administrator later visits one of several trigger pages (e.g., the network tools tab). The attacker can embed arbitrary shell commands in the Host: header payload; the overflow overwrites SystemCmd with that payload. When the admin visits a trigger page, the injected command executes with root privileges [1].
Impact
Successful exploitation achieves remote code execution as the administrator (root) on the router. The attacker can fully compromise the device, including reading all NVRAM contents, modifying configurations, and exfiltrating sensitive data. Due to the network vector and the lack of required privileges for the initial overflow stage, the CVSS v3 score is 9.6 (Critical) [1].
Mitigation
The vendor fixed these issues in firmware version 3.0.0.4.378. Users should upgrade to this or a later version immediately. For routers that cannot be upgraded beyond 3.0.0.4.376.X (e.g., end-of-life models), ASUS has not released a patch — the vendor refused to fix the vulnerability for EOL devices [1]. Recommended workarounds include disabling remote management from the WAN side and restricting LAN access to the management interface only to trusted hosts. This CVE is not listed on the CISA KEV catalog as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3- packetstormsecurity.com/files/145921/ASUSWRT-3.0.0.4.382.18495-Session-Hijacking-Information-Disclosure.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2018/Jan/63mitremailing-listx_refsource_FULLDISC
- sploit.tech/2018/01/16/ASUS-part-I.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.