Description
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web management interface of certain ASUS router models. This vulnerability potentially allows actions to be performed with the existing privileges of an authenticated user on the affected device, including the ability to execute system commands through unintended mechanisms.
Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information.
Published: 2026-03-26
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution via CSRF
Action: Immediate Patch
AI Analysis

Impact

A Cross‑Site Request Forgery flaw in the Web management interface allows an attacker to trigger privileged actions using an authenticated user’s session, resulting in the ability to execute system commands on the router. The flaw stems from a lack of proper request validation, thereby enabling unintended command execution. The consequences include compromise of confidentiality, integrity and availability of the device, and potentially full control of the router’s operating system.

Affected Systems

The vulnerability affects ASUS router models running firmware that incorporates the vulnerable web interface. The advisory references the common platform enumeration cpe:2.3:o:asus:asus_firmware:*:*:*:*:*:*:*:*, but does not provide a specific firmware version range. All firmware builds containing the affected web management module are potentially at risk.

Risk and Exploitability

With a CVSS score of 8.5, this vulnerability is classified as high severity, while an EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog, further suggesting limited active exploitation. The attack vector is inferred to be CSRF; an attacker would need to trick an authenticated user into submitting a crafted web request or compromise the router’s network to gain privileged access. Successful exploitation would grant the attacker the same level of access as the user and could result in arbitrary command execution.

Generated by OpenCVE AI on March 26, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official ASUS firmware update that addresses the CSRF flaw
  • Verify that the router is running the latest firmware release
  • If an update is not yet available, limit the web interface to internal network access only
  • Monitor router logs for suspicious command execution attempts

Generated by OpenCVE AI on March 26, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.asus.com/security-advisory/ cve-icon cve-icon
History

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title CSRF Vulnerability Allowing Remote Command Execution on ASUS Router Web Interface

Thu, 26 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Asus asus Firmware
CPEs cpe:2.3:o:asus:asus_firmware:*:*:*:*:*:*:*:*
Vendors & Products Asus asus Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title CSRF Vulnerability Allowing Remote Command Execution on ASUS Router Web Interface

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Asus
Asus router
Vendors & Products Asus
Asus router

Thu, 26 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web management interface of certain ASUS router models. This vulnerability potentially allows actions to be performed with the existing privileges of an authenticated user on the affected device, including the ability to execute system commands through unintended mechanisms. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information.
Weaknesses CWE-352
CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Asus Asus Firmware Router
cve-icon MITRE

Status: PUBLISHED

Assigner: ASUS

Published:

Updated: 2026-03-27T03:55:34.490Z

Reserved: 2025-12-26T02:08:21.482Z

Link: CVE-2025-15101

cve-icon Vulnrichment

Updated: 2026-03-26T14:01:18.896Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T03:16:02.400

Modified: 2026-03-26T16:43:20.300

Link: CVE-2025-15101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:59Z

Weaknesses