ASUS RT-AC86U - Command injection vulnerability - 3

Vulnerability

ASUS RT-AC86U firmware versions prior to 3.0.0.4.386_51915 contain a command injection flaw in the Traffic Analyzer legacy Statistic function (wanStat_detail). The function fails to properly filter special characters in input parameters, enabling an attacker who has already obtained regular user credentials to inject arbitrary operating system commands [1].

Exploitation

An attacker must be a remote user with a valid regular-privilege account on the router. No additional privileges or physical access are required. By sending a crafted HTTP request to the vulnerable wanStat_detail endpoint with malicious payloads in the unsanitized parameters, the attacker can execute arbitrary shell commands on the underlying system [1].

Impact

Successful command injection allows the attacker to execute arbitrary commands as a high-privilege user, leading to full compromise of the device. This can result in complete loss of confidentiality (reading sensitive data), integrity (modifying system files or configurations), and availability (disrupting services or causing denial of service) [1].

Mitigation

ASUS released firmware version 3.0.0.4.386_51915 to fix this vulnerability. Affected users should update their RT-AC86U routers to this or a later patched version immediately. No official workaround is available apart from upgrading [1].