All three flaws, which have a critical severity CVSS v3.1 score of 9.8 out of 10.0, are format string vulnerabilities that hackers can remotely exploit without authentication. From here, they could remotely execute code on the devices, interrupt their service and perform other arbitrary operations.
The vulnerabilities, tracked as CVE-2023-39238, CVE-2023-39239 and CVE-2023-39240, were disclosed by Taiwan’s Computer Emergency Response Team (CERT) earlier today and impact the Asus RT-AX55, RT-AX56U_V2, and RT-AC86U running firmware versions 126.96.36.199.386_50460, 188.8.131.52.386_50460, and 184.108.40.206_386_51529.
Fortunately for owners of some of the best gaming routers from Asus, the company has already released firmware updates to patch these vulnerabilities.
How to update your Asus router
If you own one of the affected Asus routers, you’re going to need to apply the latest firmware updates ASAP since failure to do so can leave your router vulnerable to cyberattacks. There are several different ways to update your Asus router and you can do so using the company’s WebGUI, manually or with the Asus Router App.
The Asus RT-AX55 needs to be running firmware version 220.127.116.11.386_51948 or later, the Asus RT-AX56U_V2 requires firmware version 18.104.22.168.386_51948 or later and the Asus RT-AC86U should be running firmware version 22.214.171.124.386_51915 or later to be protected against attacks leveraging these vulnerabilities.
If you regularly update your router (which you should), you may already be protected as Asus released a patch to address these three flaws back in May for the Asus AX56U_V2, in July for the Asus RT-AC86U and in early August for the Asus RT-AX55.
For additional protection, you should also disable remote administration (WAN Web Access) on your Asus router as these flaws and others like it often target the web admin console on consumer devices.