ASUS RT-AC86U - Command Injection

Vulnerability

CVE-2023-28702 is a command injection vulnerability in ASUS RT-AC86U router firmware version v3.0.0.4.386.51255 and possibly earlier versions. The web management interface fails to properly filter special characters in parameters of specific URLs. An attacker who has already obtained a normal user session (low-privileged authenticated access) can inject operating system commands through these unsanitized inputs [1].

Exploitation

Exploitation requires the attacker to have network access to the router's web management interface and to be authenticated with a valid user account (normal user privileges). The attacker crafts a malicious HTTP request targeting affected URL parameters, injecting shell metacharacters such as semicolons or pipes to append arbitrary OS commands. No additional user interaction is needed because the vulnerable code path processes the parameters server-side upon receiving the request [1].

Impact

Successful exploitation allows an authenticated remote attacker to execute arbitrary system commands with the privileges of the web server, which typically runs as root on embedded routers. The attacker can fully compromise the device: read or modify sensitive data, install persistent malware, disrupt network services, or render the router inoperable. The CVSS 3.1 base score is 8.8 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [1].

Mitigation

ASUS has released updated firmware to address this vulnerability. Users should update the RT-AC86U to the latest firmware version available on the ASUS support website, as the vendor recommends upgrading to the most recent release. As of the publication date (2023-06-02), the specific fixed version is not listed in the reference [1]. No workaround is provided; users must apply the firmware update to mitigate the risk.