CVE-2021-41437

Vulnerability

An HTTP response splitting vulnerability exists in the AiCloud component of ASUS RT-AX88U routers running firmware versions prior to v3.0.0.4.388.20558 [2]. The flaw allows an attacker to craft a malicious URL that, when processed by the AiCloud web application, triggers a response split, enabling the injection of attacker-controlled content into the HTTP response.

Exploitation

To exploit this vulnerability, an attacker must craft a specific URL and trick an authenticated victim into visiting it [2]. The victim must be logged into the router's AiCloud interface. No additional privileges or network access are required beyond the ability to deliver the URL to the victim (e.g., via phishing or a malicious link). The attacker does not need to be on the same network as the victim.

Impact

If successful, the attacker can cause the victim's browser to interpret the split response, leading to the victim being redirected to the attacker's cloud storage [2]. This effectively gives the attacker access to the victim's authenticated session within the context of AiCloud, potentially allowing the attacker to manipulate or exfiltrate data from the victim's cloud storage. The integrity and confidentiality of the victim's cloud data are compromised.

Mitigation

ASUS has released firmware version v3.0.0.4.388.20558 that fixes this vulnerability [1]. Users should update to this version or later (e.g., v3.0.0.4.388.24333, v3.0.0.4.388.24346, v3.0.0.4.388.24385) via the official ASUS support page [1]. No workaround is available; upgrading is the only recommended mitigation.