OS Command Injection in Asus products - CVE-2023-28702
Published: June 20, 2023
Vulnerability identifier: #VU77536
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-28702
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
GT6
GT-AXE16000
GT-AXE11000 PRO
GT-AXE11000
GT-AX6000
GT-AX11000
GS-AX5400
GS-AX3000
ZenWiFi XT9
ZenWiFi XT8
ZenWiFi XT8_V2
RT-AX86U PRO
RT-AX86U
RT-AX86S
RT-AX82U
RT-AX58U
RT-AX3000
TUF-AX6000
TUF-AX5400
GT6
GT-AXE16000
GT-AXE11000 PRO
GT-AXE11000
GT-AX6000
GT-AX11000
GS-AX5400
GS-AX3000
ZenWiFi XT9
ZenWiFi XT8
ZenWiFi XT8_V2
RT-AX86U PRO
RT-AX86U
RT-AX86S
RT-AX82U
RT-AX58U
RT-AX3000
TUF-AX6000
TUF-AX5400
Software vendor:
Asus
Asus
Description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.