CVE-2025-59369

Vulnerability

Overview

CVE-2025-59369 is a SQL injection vulnerability in the bwdpi component of ASUS router firmware. The root cause is improper sanitization of user-supplied input within the bwdpi functionality, allowing an authenticated attacker to inject arbitrary SQL commands into database queries [1].\. This flaw is present in certain firmware versions and can be exploited by a remote attacker who has already obtained valid credentials for the router's administrative interface [1].

Exploitation and

Attack Surface

To exploit this vulnerability, an attacker must first authenticate to the router's web management interface. Once authenticated, the attacker can send specially crafted HTTP requests to the bwdpi endpoint, which fails to properly neutralize SQL syntax in user input. No additional network access beyond the router's LAN or WAN management interface is required, as the vulnerable component is accessible to authenticated users [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries against the router's internal database. This can lead to unauthorized reading, modification, or deletion of sensitive data stored by the router, such as device configuration, logs, or user credentials. The impact is limited to data accessible via the database, but could enable further attacks on the network compromise if credentials are extracted [1].

Mitigation

ASUS has released a security update to address this vulnerability. Users are advised to update their router firmware to the latest version available from the ASUS support website. No workaround is documented, and the vulnerability is not currently listed in the Known Exploited Vulnerabilities (KEV) catalog [1].