CVE-2021-41435
Description
A CAPTCHA bypass in ASUS routers allows unlimited login attempts, enabling brute-force attacks on admin credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CAPTCHA bypass in ASUS routers allows unlimited login attempts, enabling brute-force attacks on admin credentials.
Vulnerability
The vulnerability resides in the CAPTCHA protection mechanism of the web interface on numerous ASUS router models. A remote attacker can bypass the brute-force protection by sending a specific HTTP request, allowing unlimited login attempts. Affected models include ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series (RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before firmware version 3.0.0.4.386.45898, and RT-AX68U before firmware version 3.0.0.4.386.45911 [1][2][3][4].
Exploitation
An attacker can exploit this vulnerability remotely without any authentication. By sending a specially crafted HTTP request, the attacker bypasses the CAPTCHA check and can perform an unlimited number of login attempts. This enables a brute-force attack on the router's admin credentials. No user interaction is required.
Impact
Successful exploitation allows an attacker to brute-force the admin password. If the password is guessed, the attacker gains full administrative access to the router, potentially leading to complete compromise of the device and the network it manages. This includes the ability to modify settings, intercept traffic, or launch further attacks.
Mitigation
ASUS has released firmware updates to fix this vulnerability. Users should upgrade to firmware version 3.0.0.4.386.45898 or later for most affected models, and version 3.0.0.4.386.45911 or later for RT-AX68U [1][2][3][4]. The updates are available on the ASUS support website. No workarounds are documented. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- ASUS/ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ZenWiFi XD6, ZenWiFi AX (XT8), RT-AX68Udescription
- Range: < 3.0.0.4.386.45898
- Range: < 3.0.0.4.386.45898
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
8- asus.commitrex_refsource_MISC
- rog.asus.com/networking/rog-rapture-gt-ax11000-model/helpdesk_biosmitrex_refsource_MISC
- www.asus.com/Networking-IoT-Servers/Whole-Home-Mesh-WiFi-System/ZenWiFi-WiFi-Systems/ASUS-ZenWiFi-AX-XT8-/HelpDesk_BIOS/mitrex_refsource_MISC
- www.asus.com/Networking-IoT-Servers/Whole-Home-Mesh-WiFi-System/ZenWiFi-WiFi-Systems/ASUS-ZenWiFi-XD6/HelpDesk_BIOS/mitrex_refsource_MISC
- www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-WiFi-Routers/RT-AX3000/HelpDesk_BIOS/mitrex_refsource_MISC
- www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-WiFi-Routers/RT-AX56U/HelpDesk_BIOS/mitrex_refsource_MISC
- www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-WiFi-Routers/RT-AX68U/HelpDesk_BIOS/mitrex_refsource_MISC
- www.asus.com/Networking-IoT-Servers/WiFi-Routers/All-series/RT-AX55/HelpDesk_BIOS/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.