Wi-Fi routers are often the victim of numerous cyberattacks, as they offer quick and easy access to various devices on the network. Now, according to a new report from Bleeping Computer, security researchers have discovered three new vulnerabilities in several high-end ASUS routers, which can potentially allow threat actors to conduct ransomware attacks.
These vulnerabilities, known as CVE-2023-39238, CVE-2023-39239, and CVE-2023-39240, are format string vulnerabilities notorious for their susceptibility to remote exploitation without authentication. This opens the door to various malicious activities, such as code execution, service disruptions and unauthorized operations. Furthermore, these vulnerabilities carry a severity score of 9.8 out of 10, thus highlighting the seriousness of the situation.
What is the solution?
As per the report, these vulnerabilities affect ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers running specific firmware versions: 3.0.0.4.386_50460, 3.0.0.4.386_50460, and 3.0.0.4_386_51529, respectively. However, due to the gravity of the issue, ASUS has taken swift action to address these vulnerabilities by releasing patches in early August 2023 for RT-AX55, in May 2023 for AX56U_V2, and in July 2023 for RT-AC86U.
Additionally, considering the fact that threat actors are actively exploiting vulnerabilities in the web admin console, users should consider disabling the remote administration feature (WAN Web Access). This precautionary measure helps prevent unauthorized access from the internet, adding an extra layer of security to your router.
“If you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions,” said Asus in a statement.
ASUS’s history of security issues
While these new vulnerabilities may appear isolated, it’s important to note that ASUS has a track record of security issues with its routers. Just two months ago, the company released a critical firmware update to address several high-severity flaws. Furthermore, the company has faced a total of three CVEs in 2023 and five in 2022.