—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in ASUS Router

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: High

Software Affected:

ASUS Router

3.0.0.4_386 series

3.0.0.4_388 series

3.0.0.6_102 series

Overview:

Multiple vulnerabilities have been reported in ASUS Router that could be exploited by an authenticated attacker   to execute arbitrary code on the affected device.

Target Audience:

Network and Security Administrators, IT Operations and System Engineers, Enterprise Architects and CIOs/CTOs, Managed Service Providers (MSPs)

Risk Assessment:

There are high risks of Confidentiality, Operational, Integrity, and Availability

Impact Assessment:

There are high risks of Confidentiality, Integrity, and Availability

Description:

1.   Authentication-bypass Vulnerability CVE-2025-59366 CVE-2025-59371

These vulnerabilities exist in the AiCloud and IFTTT integration features due to an unintended side effect of the Samba functionality. An attacker could exploit these Vulnerabilities to execute specific functions without proper authorization, potentially gaining unauthorized access to the affected device.

2.   SQL injection Vulnerability CVE-2025-59369

This vulnerability exists in the bwdpi component. A remote, authenticated attacker could exploit this Vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized access to sensitive data.

3.   Command Injection Vulnerability CVE-2025-59368 CVE-2025-59370

These Vulnerabilities exist in AiCloud & bwdpi, an authenticated attacker could exploit these vulnerabilities by sending specially crafted requests, allowing the execution of arbitrary system commands and causing the device to run unintended instructions.

4.   Path Traversal Vulnerability CVE-2025-59372  CVE-2025-12003

These Vulnerabilities exist in certain router models using WebDAV. A remote, authenticated attacker could exploit this vulnerability to write files outside the intended directory potentially compromising the device’s file system

Solution

Apply appropriate software updates as mentioned by vendor

https://www.asus.com/security-advisory

Vendor Information:

ASUS

https://www.asus.com/security-advisory

References:

https://www.asus.com/security-advisory

CVE Name

CVE-2025-59366

CVE-2025-59368

CVE-2025-59369

CVE-2025-59370

CVE-2025-59371

CVE-2025-59372

CVE-2025-12003

 —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmkoTsgACgkQ3jCgcSdc

ys/FrxAAk0sdULd+NxdH+VAatmH9XRIEbiTFXu2uOa+Yv2/3/MXmiu75AjVSrbBC

Dlkw4IEtgZuHKcpVkjJZJaBKQDkZBtn0tqY99X40/wEuHRkxp6Ldma8V2ujlRP2o

XxK5cgRY1QA/98jfBdwzPvplr431yR66w6BEb1Dwg1njSqVUeRE1lOWijieOu8Un

b3YeLkS6Lf7WHHpd02TAPT8vIjuzo5V1cOFh49RpLAXUgFg4nwv+7MFGW3BZD8MZ

6Ro+02X/Wluu2qMv075YqItg4qWD3wr7ikjIUyZ5P5JfftaNF5+W6UbiVOFRF87S

u8UU14NhLP9SI9d2EkdhhyjhoZLKdAnacDyYCexYflGPWbU5L7HVIE+8ElT+15u/

6O8W6olU4tQo4LSvZjausiA7Aukuy8IlO1Bd2owyCwXN2t5PgfcYkhkGsHOrR0rZ

K1liuLoXAZtvqNbh9AFAPtPX2GXZU++7xEp8j94+qAa+T9VX1NHXdvEUNQRcu8j7

I4pZipnWPMqu6nunbPu44RFM7jD1UhqfYbf6rWLgkXrznqzBHkK6IM7Ntb1wnPAT

wP1oOVysnLxyYPonMkdFBUId9ZXcp3zBvEmdun6FAL56ANGIoFm0CAKUmlhmlJcf

9ChNmNyMNYLcwGtBp4nt3d1w5IB/U6Sosf9vB7yDDzjFtHabC/k=

=zHKl

—–END PGP SIGNATURE—–