ASUS RT-AX88U - Stored XSS

Vulnerability

ASUS RT-AX88U firmware versions prior to 3.0.0.4.386.46065 contain a stored cross-site scripting (XSS) vulnerability in the HTTP header parameter. The device fails to properly sanitize special characters in this parameter, enabling an attacker to inject arbitrary JavaScript. The vulnerability is triggered when the injected payload is stored and later rendered in the device's admin interface. Affected product: ASUS RT-AX88U with firmware pre v3.0.0.4.386.4606 [1].

Exploitation

An attacker must first obtain a general user-level account on the device (e.g., through stolen credentials or other means). With that access, the attacker can craft a request containing malicious JavaScript in the HTTP header parameter. When the administrator or other users view the stored data in the router's web interface, the injected script executes within the context of the user's browser. No network proximity beyond standard web access is required; authentication as a low-privilege user and user interaction (viewing the affected page) are the sole prerequisites [1].

Impact

Successful exploitation results in stored cross-site scripting (XSS) that can lead to unauthorized actions being performed on behalf of an authenticated administrator, such as modification of router settings, exfiltration of session cookies, or further compromise of the network. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N indicates low impact to confidentiality and integrity, but the scope change means the vulnerability can affect resources beyond the original vulnerable component [1].

Mitigation

ASUS released firmware version 3.0.0.4.386.46065 to address this vulnerability. Users must update their RT-AX88U router to this version or later. No workaround has been publicly documented; updating is the recommended course of action. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].