VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 7, 2022· Updated Sep 16, 2024

ASUS RT-AC86U - Command Injection

CVE-2022-25597

Description

ASUS RT-AC86U’s LPD service has insufficient filtering for special characters in the user request, which allows an unauthenticated LAN attacker to perform command injection attack, execute arbitrary commands and disrupt or terminate service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ASUS RT-AC86U LPD service lacks input sanitization, allowing unauthenticated LAN attackers to inject commands, execute arbitrary code, and cause service disruption.

Vulnerability

The ASUS RT-AC86U router (firmware version v3.0.0.4.386.45956 and earlier) contains a command injection vulnerability in its Line Printer Daemon (LPD) service. The service does not properly filter special characters in user-supplied requests, making the code path reachable by any network request to the LPD port [1].

Exploitation

An unauthenticated attacker on the same local area network (LAN) can send a crafted request to the LPD service without any prior authentication or user interaction. The lack of special-character filtering allows the attacker to inject arbitrary system commands into the request, which are then executed by the underlying operating system [1].

Impact

Successful exploitation enables the attacker to execute arbitrary commands with the privileges of the LPD process, leading to full compromise of confidentiality, integrity, and availability. The attacker can read or modify sensitive data, install malware, or disrupt or terminate the LPD service, causing a denial of service [1].

Mitigation

ASUS released firmware version 3.0.0.4.386.46092 to address this vulnerability. Users should update their RT-AC86U routers to this version or later. No workaround is available if the firmware cannot be updated [1].

References
  1. ASUS RT-AC86U - Command Injection

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Asus/RT-AC86Ullm-fuzzy2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: 3.0.0.4.386.45956

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.