Description
An OS command injection vulnerability in the web management interface of certain ASUS router models allows remote authenticated administrators to execute arbitrary system commands via a crafted parameter.
Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information.
Published: 2026-03-26
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw exists in the web management interface of certain ASUS router models that allows a remote authenticated administrator to execute arbitrary system commands by supplying a specially crafted parameter. The vulnerability arises when user input is passed directly to the operating system shell without adequate sanitization. Successful exploitation enables the attacker to run commands with the privileges of the router’s administrative account, which can affect the device’s operation and configuration.

Affected Systems

The issue affects ASUS router models running firmware that incorporates the vulnerable web interface. No specific firmware version range is provided in the advisory, so any firmware build containing the affected module could be susceptible.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.6, indicating high severity, while an EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring an authenticated administrative session; an attacker must first obtain or compromise router admin credentials to deliver a malicious request that triggers the OS command execution. Exploitation would grant the attacker the same level of access as the router’s administrator and could compromise the device’s security.

Generated by OpenCVE AI on May 13, 2026 at 18:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official ASUS firmware update that addresses the OS command injection flaw in the web interface.
  • Restrict access to the router’s web interface to the internal network and block external connections.
  • Monitor router logs for unexpected command execution activity.

Generated by OpenCVE AI on May 13, 2026 at 18:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.asus.com/security-advisory/ cve-icon cve-icon
History

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Title Remote Authenticated Command Injection in ASUS Router Web Interface

Wed, 13 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352

Wed, 13 May 2026 04:30:00 +0000

Type Values Removed Values Added
Title Remote Authenticated Command Injection in ASUS Router Web Interface

Wed, 13 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web management interface of certain ASUS router models. This vulnerability potentially allows actions to be performed with the existing privileges of an authenticated user on the affected device, including the ability to execute system commands through unintended mechanisms. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. An OS command injection vulnerability in the web management interface of certain ASUS router models allows remote authenticated administrators to execute arbitrary system commands via a crafted parameter. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information.
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title CSRF Vulnerability Allowing Remote Command Execution on ASUS Router Web Interface

Thu, 26 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Asus asus Firmware
CPEs cpe:2.3:o:asus:asus_firmware:*:*:*:*:*:*:*:*
Vendors & Products Asus asus Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title CSRF Vulnerability Allowing Remote Command Execution on ASUS Router Web Interface

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Asus
Asus router
Vendors & Products Asus
Asus router

Thu, 26 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web management interface of certain ASUS router models. This vulnerability potentially allows actions to be performed with the existing privileges of an authenticated user on the affected device, including the ability to execute system commands through unintended mechanisms. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information.
Weaknesses CWE-352
CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Asus Asus Firmware Router
cve-icon MITRE

Status: PUBLISHED

Assigner: ASUS

Published:

Updated: 2026-05-13T01:44:37.638Z

Reserved: 2025-12-26T02:08:21.482Z

Link: CVE-2025-15101

cve-icon Vulnrichment

Updated: 2026-03-26T14:01:18.896Z

cve-icon NVD

Status : Modified

Published: 2026-03-26T03:16:02.400

Modified: 2026-05-13T04:17:02.273

Link: CVE-2025-15101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:15:16Z

Weaknesses