ASUS BMC's firmware: buffer overflow - Web License configuration setting
Description
The specific function in ASUS BMC’s firmware Web management page (Web License configuration setting) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer overflow in ASUS BMC firmware Web license configuration allows authenticated remote attackers to cause denial of service via crafted input.
Vulnerability
The ASUS BMC firmware Web management page contains a buffer overflow vulnerability in the Web License configuration setting. The specific function does not verify the length of user-supplied strings, leading to a buffer overflow. Affected firmware versions include Z10PR-D16 1.14.51, ASMB8-iKVM 1.14.51, and Z10PE-D16 WS 1.14.2 [1].
Exploitation
An attacker must first obtain privileged (administrator) permissions on the BMC. With remote network access, the attacker can send a crafted input with an excessively long string to the vulnerable Web License configuration function, triggering a buffer overflow that abnormally terminates the Web service [1].
Impact
Successful exploitation results in a denial of service (DoS) condition, causing the Web service to crash. There is no impact on confidentiality or integrity. The CVSS v3.1 base score is 4.9 (Medium) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H [1].
Mitigation
ASUS has released firmware updates to address this vulnerability. Users should update to the following fixed versions: Z10PR-D16 1.16.1, ASMB8-iKVM 1.16.1, and Z10PE-D16 WS 1.16.1 [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- ASUS/BMC firmware for ASMB8-iKVMv5Range: 1.14.51
- ASUS/BMC firmware for Z10PE-D16 WSv5Range: 1.14.2
- ASUS/BMC firmware for Z10PR-D16v5Range: 1.14.51
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.asus.com/content/ASUS-Product-Security-Advisory/mitrex_refsource_MISC
- www.asus.com/tw/support/callus/mitrex_refsource_MISC
- www.twcert.org.tw/tw/cp-132-4553-06ae2-1.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.