SB2025022120 - Improper Authentication in ASUS GT-AC2900 and Lyra Mini
Published: February 21, 2025 Updated: June 2, 2025
Security Bulletin ID
SB2025022120
CSH Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper Authentication (CVE-ID: CVE-2021-32030)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when processing authentication requests. A remote attacker can bypass authentication process and gain unauthorized access to the application.
Remediation
Install update from vendor's website.
References
- https://github.com/atredispartners/advisories/blob/master/ATREDIS-2020-0010.md
- https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-Gaming-Routers/RT-AC2900/HelpDesk_BIOS/
- https://www.asus.com/us/supportonly/lyra%20mini/helpdesk_bios/
- https://www.atredis.com/blog/2021/4/30/asus-authentication-bypass
- https://jvn.jp/en/vu/JVNVU97639704/index.html