Description
An OS command injection vulnerability in the web management interface of certain ASUS router models allows remote authenticated administrators to execute arbitrary system commands via a crafted parameter.
Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information.
Published: 2026-03-26
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw in the web management interface of certain ASUS router models permits a remote authenticated administrator to execute arbitrary system commands by supplying a specially crafted parameter. The vulnerability arises because user input is passed directly to the operating system shell without adequate sanitization. Successful exploitation grants the attacker the privileges of the router’s administrative account, leading to full compromise of confidentiality, integrity, and availability of the device and potentially the broader network.

Affected Systems

The vulnerability affects ASUS router models running firmware that incorporates the vulnerable web interface. The advisory does not specify a firmware version range. All firmware builds containing the affected web management module are potentially at risk.

Risk and Exploitability

With a CVSS score of 8.6, the vulnerability is classified as high severity, while an EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog, further suggesting limited active exploitation. The attack vector is inferred to be remote, requiring an authenticated administrative session; an attacker could log in to the web interface or otherwise obtain administrator credentials to submit a maliciously crafted request that triggers the OS command execution. Successful exploitation would grant the attacker the same level of access as the router’s administrator, potentially allowing arbitrary command execution and full control of the operating system.

Generated by OpenCVE AI on May 13, 2026 at 04:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official ASUS firmware update that fixes the OS command injection flaw in the web interface.
  • Restrict web interface access to the internal network and block external connections.
  • Monitor router logs for unexpected command execution activity.

Generated by OpenCVE AI on May 13, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.asus.com/security-advisory/ cve-icon cve-icon
History

Wed, 13 May 2026 04:30:00 +0000

Type Values Removed Values Added
Title Remote Authenticated Command Injection in ASUS Router Web Interface

Wed, 13 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web management interface of certain ASUS router models. This vulnerability potentially allows actions to be performed with the existing privileges of an authenticated user on the affected device, including the ability to execute system commands through unintended mechanisms. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. An OS command injection vulnerability in the web management interface of certain ASUS router models allows remote authenticated administrators to execute arbitrary system commands via a crafted parameter. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information.
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title CSRF Vulnerability Allowing Remote Command Execution on ASUS Router Web Interface

Thu, 26 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Asus asus Firmware
CPEs cpe:2.3:o:asus:asus_firmware:*:*:*:*:*:*:*:*
Vendors & Products Asus asus Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title CSRF Vulnerability Allowing Remote Command Execution on ASUS Router Web Interface

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Asus
Asus router
Vendors & Products Asus
Asus router

Thu, 26 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web management interface of certain ASUS router models. This vulnerability potentially allows actions to be performed with the existing privileges of an authenticated user on the affected device, including the ability to execute system commands through unintended mechanisms. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information.
Weaknesses CWE-352
CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Asus Asus Firmware Router
cve-icon MITRE

Status: PUBLISHED

Assigner: ASUS

Published:

Updated: 2026-05-13T01:44:37.638Z

Reserved: 2025-12-26T02:08:21.482Z

Link: CVE-2025-15101

cve-icon Vulnrichment

Updated: 2026-03-26T14:01:18.896Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T03:16:02.400

Modified: 2026-03-26T16:43:20.300

Link: CVE-2025-15101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T04:30:05Z

Weaknesses