VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 7, 2022· Updated Sep 17, 2024

ASUS RT-AX56U - Path Traversal

CVE-2022-23971

Description

ASUS RT-AX56U’s update_PLC/PORT file has a path traversal vulnerability due to insufficient filtering for special characters in the URL parameter. An unauthenticated LAN attacker can overwrite a system file by uploading another PLC/PORT file with the same file name, which results in service disruption.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal vulnerability in ASUS RT-AX56U allows unauthenticated LAN attackers to overwrite system files, causing denial of service. Fixed in firmware 3.0.0.4.386.45934.

Vulnerability

A path traversal vulnerability exists in the update_PLC/PORT file functionality of ASUS RT-AX56U firmware version 3.0.0.4.386.45898 [1]. The URL parameter does not properly filter special characters, allowing an attacker to specify arbitrary paths when uploading a PLC or PORT file. This enables file writes outside the intended directory.

Exploitation

An unauthenticated attacker on the local network can exploit this vulnerability by sending a crafted request to the update_PLC/PORT endpoint with a filename containing path traversal sequences (e.g., ../). The attacker uploads a file with the same name as an existing system file, causing it to be overwritten. No authentication or user interaction is required [1].

Impact

Successful exploitation allows overwriting of arbitrary system files, leading to service disruption (denial of service). The attack impacts integrity and availability, but not confidentiality. The CVSS score is 8.1 (High) with vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H [1].

Mitigation

ASUS released firmware version 3.0.0.4.386.45934 to fix this vulnerability [1]. Users should update their RT-AX56U devices to the patched version. No workarounds are documented; upgrading is the recommended mitigation.

References
  1. ASUS RT-AX56U - Path Traversal

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Asus/RT-AX56U V2llm-fuzzy2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: 3.0.0.4.386.45898

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.