Home / Threat Intelligence bulletins / Customers urged by ASUS to fix serious router vulnerabilities

Target Industry

Indiscriminate, opportunistic targeting.


Customers are advised to quickly upgrade their devices or to restrict WAN access until they are secure by ASUS, which has provided new firmware with cumulative security patches that address vulnerabilities in several router models. The two vulnerabilities are CVE-2022-26376 and CVE-2018-1160.


Successful exploitation of CVE-2022-26376 would allow an attacker to do the following:

  • Code Execution: By taking advantage of a memory corruption flaw, an attacker may be able to run any code they choose on the vulnerable system. This may result in malware installation, remote control of the device, or unauthorised access.
  • System Compromise: By taking advantage of memory corruption flaws, attackers can seize total command of a system, potentially leading to a complete compromise of the device or network. This enables them to steal confidential information, editing or delete files, or starting new attacks.
  • Disclosure of Information: Memory corruption flaws can be used to expose sensitive data kept in memory. Attackers can view material that was not intended to be made public, such as passwords, encryption keys, or private user information.
  • Denial of Service (DoS): By taking advantage of memory corruption flaws, an attacker can cause a system or piece of software to crash. This may result in the system being unstable, services being interrupted, and genuine users losing access to the system.

Successful exploitation of CVE-2018-1160 would allow an attacker to execute arbitrary code and would also allow:

  • Unauthorised Access: Attackers may get access to the compromised device without authorisation, giving them control over the system and giving them the possibility to harvest sensitive data, change configurations, or conduct malicious actions.
  • Data breaches: Exploitation techniques that allow for arbitrary code execution frequently target unpatched devices. Attackers could use this access to compromise the device’s security and take confidential company information, financial records, or sensitive personal data.
  • Expanding Attack Surface: Devices without security updates are targets for hackers trying to take over a system or network. Arbitrary code execution can give them a starting point for other attacks, compromising other networked devices, servers, or vital infrastructure pieces.

Vulnerability Detection

A security patch for the vulnerability has been released by ASUS. Previous product versions therefore remain vulnerable to potential exploitation.

Affected Products

  • GT6
  • GT-AXE16000
  • GT-AX11000 PRO
  • GT-AX6000
  • GT-AX11000
  • GS-AX5400
  • GS-AX3000
  • XT9
  • XT8
  • XT8 V2
  • RT-AX86U PRO
  • RT-AX86U, RT-AX86S
  • RT-AX82U
  • RT-AX58U
  • RT-AX3000
  • TUF-AX6000
  • TUF-AX5400

Containment, Mitigations & Remediations

Microsoft Defender for Endpoint focuses on advanced threat detection and response capabilities for endpoints, such as desktops, laptops, and servers. This provides real-time monitoring and detection, threat intelligence and analytics, endpoint behaviour sensors, incident investigation and response and is integrated with Microsoft 365 security centre.

All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Memory corruption flaws present a substantial danger to environment that seriously jeopardises the stability and security of software systems.

Arbitrary code execution on unpatched devices poses a danger to system security and can have a number of negative effects. Threat actors actively investigate and create exploits that target specific vulnerabilities and provide arbitrary code execution. To exploit unpatched devices, they might write their own exploit code or alter already-existing proof-of-concept exploits.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies





Further Information

A memory corruption vulnerability exists in the httpd

Netatalk before 3.1.12 is vulnerable to an out of bounds