VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 7, 2023· Updated Sep 26, 2024

ASUS RT-AC86U - Command injection vulnerability - 4

CVE-2023-39236

Description

ASUS RT-AC86U Traffic Analyzer - Statistic function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A command injection vulnerability in ASUS RT-AC86U's Traffic Analyzer Statistics function lets authenticated remote attackers execute arbitrary commands.

Vulnerability

A command injection vulnerability exists in the Traffic Analyzer - Statistic function of the ASUS RT-AC86U router firmware version 3.0.0.4.386.51529 and possibly earlier versions [1]. The function fails to properly filter special characters in input parameters, allowing an attacker to inject arbitrary operating system commands [1].

Exploitation

A remote attacker must have a regular user account on the router to access the web management interface [1]. The attacker sends crafted HTTP requests to the vulnerable endpoint, injecting shell metacharacters into the input fields of the Traffic Analyzer's statistic function [1]. No additional user interaction or race condition is required; exploitation is straightforward once the attacker is authenticated.

Impact

Successful exploitation allows the attacker to execute arbitrary system commands with root privileges on the router's operating system [1]. This can lead to full compromise of the device, including data disclosure, modification, persistent denial of service, or termination of critical services [1].

Mitigation

ASUS has released firmware version 3.0.0.4.386_51915 to address this vulnerability [1]. Users should update to this fixed version immediately [1]. If the router cannot be updated, consider disabling remote management and limiting access to the web interface to trusted networks as a temporary workaround.

References
  1. ASUS RT-AC86U - Command injection vulnerability - 4

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Asus/RT-AC86Ullm-fuzzy2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: 3.0.0.4.386.51529

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.