VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 3, 2023· Updated Sep 6, 2024

ASUS RT-AX55 - command injection - 2

CVE-2023-41346

Description

ASUS RT-AX55 firmware 3.0.0.4.386.51598 suffers from command injection in its token-refresh module, enabling authenticated remote attackers to execute arbitrary commands.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ASUS RT-AX55 firmware 3.0.0.4.386.51598 suffers from command injection in its token-refresh module, enabling authenticated remote attackers to execute arbitrary commands.

Vulnerability

The vulnerability exists in the token-refresh module of the authentication-related function in ASUS RT-AX55 routers. The module fails to properly filter special characters, allowing command injection. The affected firmware version is 3.0.0.4.386.51598 [1]. An attacker must have valid authentication credentials to exploit this flaw.

Exploitation

An authenticated remote attacker can send specially crafted HTTP requests to the token-refresh endpoint, injecting arbitrary commands into the system [1]. No user interaction is required, and the attack can be carried out over the network.

Impact

Successful exploitation enables the attacker to execute arbitrary commands with system-level privileges. This leads to full compromise of confidentiality, integrity, and availability, including disruption of services or termination of system processes [1].

Mitigation

The vendor has released firmware version 3.0.0.4.386_51948 to address the vulnerability [1]. Users should update their RT-AX55 routers to this fixed version as soon as possible. No alternative workarounds have been disclosed.

References
  1. ASUS RT-AX55 - command injection - 2

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Asus/RT-AX55llm-fuzzy2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: 3.0.0.4.386.51598

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.