The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 and Lyra Mini before 3.0.0.4_384_46630 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations. Note: All versions of Lyra Mini and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability, Consumers can mitigate this vulnerability by disabling the remote access features from WAN.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 04 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Asus lyra Mini
Asus lyra Mini Firmware
CPEs cpe:2.3:h:asus:lyra_mini:-:*:*:*:*:*:*:*
cpe:2.3:o:asus:lyra_mini_firmware:*:*:*:*:*:*:*:*
Vendors & Products Asus lyra Mini
Asus lyra Mini Firmware

Mon, 02 Jun 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2025-06-02'}


Mon, 02 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 06 Feb 2025 13:45:00 +0000

Type Values Removed Values Added
Description The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations. The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 and Lyra Mini before 3.0.0.4_384_46630 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations. Note: All versions of Lyra Mini and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability, Consumers can mitigate this vulnerability by disabling the remote access features from WAN.
References

Fri, 24 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2025-07-30T01:38:11.527Z

Reserved: 2021-05-05T00:00:00.000Z

Link: CVE-2021-32030

cve-icon Vulnrichment

Updated: 2024-08-03T23:17:28.509Z

cve-icon NVD

Status : Analyzed

Published: 2021-05-06T15:15:07.973

Modified: 2025-06-03T21:02:26.587

Link: CVE-2021-32030

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.