CVE-2018-6000
Description
An unauthenticated attacker can exploit AsusWRT's vpnupload.cgi to overwrite NVRAM values, set the admin password, and gain root remote code execution on affected routers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated attacker can exploit AsusWRT's vpnupload.cgi to overwrite NVRAM values, set the admin password, and gain root remote code execution on affected routers.
Vulnerability
The vulnerability resides in the do_vpnupload_post function in router/httpd/web.c within the vpnupload.cgi handler. This function allows setting NVRAM configuration values via a crafted POST request without proper authentication. This issue affects AsusWRT firmware versions before 3.0.0.4.384_10007, as confirmed on version 3.0.0.4.380.7743 [1][2].
Exploitation
An unauthenticated attacker on the local network can send a malicious POST request to vpnupload.cgi. By setting specific NVRAM variables, the attacker can change the admin password and enable a special command mode or launch the SSH daemon. This attack can be combined with CVE-2018-5999 (authentication bypass) to achieve full exploitation [1][2][3]. The exploit is publicly available as a Metasploit module that sends a crafted POST to set the password, then uses a UDP packet to infosvr on port 9999 to execute commands as root [2][3].
Impact
Successful exploitation allows an unauthenticated, remote attacker to gain administrative access to the router as the root user. This results in full compromise of the device, including the ability to execute arbitrary commands, modify system configuration, and potentially pivot to other devices on the network. The impact is remote code execution with the highest privilege level on the router [1][2].
Mitigation
ASUS released the fix in firmware version 3.0.0.4.384_10007. Users should update to this version or later. There are no known workarounds other than upgrading. This vulnerability is not listed in CISA's KEV as of the publication date. If upgrading is not possible, users should restrict LAN access to trusted devices only [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `do_vpnupload_post` function in `vpnupload.cgi` calls `nvram_set()` with attacker-controlled name/value pairs extracted from the POST body without any authentication or authorization check."
Attack vector
An unauthenticated attacker on the LAN sends a crafted POST request to `/vpnupload.cgi` [ref_id=1][ref_id=2]. Because of the authentication bypass in `handle_request()`, the POST is processed even though the user is not logged in [ref_id=1]. The `do_vpnupload_post` function extracts arbitrary name/value pairs from the multipart form-data and writes them into NVRAM via `nvram_set()` [ref_id=1]. By setting `ateCommand_flag` to `1`, the attacker enables a special command mode in the `infosvr` UDP daemon (port 9999) [ref_id=1]. A subsequent crafted UDP packet with `NET_CMD_ID_MANU_CMD` (0x33) causes `infosvr` to execute an arbitrary shell command as root [ref_id=2][ref_id=3].
Affected code
The vulnerable function is `do_vpnupload_post` in `router/httpd/web.c` (AsusWRT source). It parses multipart POST data and calls `nvram_set(name, value)` with attacker-controlled name/value pairs extracted from the request body [ref_id=1]. The HTTP server's authentication bypass (CVE-2018-5999) in `handle_request()` within `httpd.c` allows an unauthenticated POST to reach this handler [ref_id=1].
What the fix does
The advisory states the fix is included in AsusWRT version 3.0.0.4.384_10007 [ref_id=1]. No patch diff is provided in the bundle, but the remediation addresses both the authentication bypass in `handle_request()` (CVE-2018-5999) and the unauthorized NVRAM write in `do_vpnupload_post()` (CVE-2018-6000) [ref_id=1]. Users should upgrade to firmware version 3.0.0.4.384_10007 or later to close both vulnerabilities.
Preconditions
- networkAttacker must be on the same LAN as the target router (no authentication required)
- configRouter must be running AsusWRT firmware before version 3.0.0.4.384_10007
Reproduction
1. Send a POST request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.exploit-db.com/exploits/43881/mitreexploitx_refsource_EXPLOIT-DB
- www.exploit-db.com/exploits/44176/mitreexploitx_refsource_EXPLOIT-DB
- blogs.securiteam.com/index.php/archives/3589mitrex_refsource_MISC
- github.com/pedrib/PoC/blob/master/advisories/asuswrt-lan-rce.txtmitrex_refsource_MISC
- raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rbmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.