Risk | High |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2017-12754 |
CWE-ID | CWE-121 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
AsusWRT Hardware solutions / Firmware |
Vendor | Asus |
Security Bulletin
This security bulletin contains one high risk vulnerability.
EUVDB-ID: #VU11222
Risk: High
CVSSv3.1: 8.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-12754
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The weakness exists in the httpd daemon due to improper processing of crafted HTTP GET request packets. A remote attacker can send a specially crafted HTTP GET request that contains a long delete_offline_client parameter, trigger a stack-based buffer overflow and execute arbitrary code.
MitigationInstall update from vendor's website.
Vulnerable software versionsAsusWRT: 380.60 - 380.68
External linkshttp://asuswrt.lostrealm.ca/changelog
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.