Asus Warns Users to Update Router Firmware to Avoid Security Vulnerabilities

Asus has released a new firmware with cumulative security updates that fixed critical vulnerabilities in several router models. Now the manufacturer warns users to update devices as soon as possible or restrict their access to the Internet until patches are installed.

Nine Vulnerabilities Fixed

In total, the updated firmware fixes nine vulnerabilities, among which there are bugs that are rated as serious and critical.
The most serious issues fixed were CVE-2022-26376 (9.8 CVSS) and CVE-2018-1160 (9.8 CVSS). The first of these is a critical memory corruption vulnerability in Asuswrt prior to version 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to version 386.7. This bug could allow attackers to cause a denial of service or execute arbitrary code.
“A specially crafted HTTP request can lead to memory corruption. An attacker could send a network request to exploit this vulnerability,” explains Asus.
The second vulnerability from almost five years ago (CVE-2018-1160) is related to out-of-bounds reading and writing in Netatalk before version 3.1.12 and can also be used to execute arbitrary code on unpatched devices.

Affected Router Models

The following router models are reported to be affected devices: PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000 and TUF-AX5400.
“Please note, if you choose not to install a new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potentially unwanted intrusions. These services include WAN remote access, port forwarding, DDNS, VPN server, DMZ, and trigger port,” the developers warn.

Additional Security Measures

In addition to installing patches, the company recommends creating separate passwords for the admin. Use at least eight characters (capital letters, numbers, and symbols) for your wireless network and the router itself, and avoid using the same password for multiple devices or services.
Asus has released a new firmware with cumulative security updates that fixed critical vulnerabilities in several router models. The manufacturer has warned users to update their devices as soon as possible or restrict their access to the Internet until patches are installed.
The updated firmware fixes nine vulnerabilities, among which there are bugs that are rated as serious and critical. The most serious issues fixed were CVE-2022-26376 (9.8 CVSS) and CVE-2018-1160 (9.8 CVSS). The first of these is a critical memory corruption vulnerability in Asuswrt prior to version 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to version 386.7. This bug could allow attackers to cause a denial of service or execute arbitrary code.
The second vulnerability from almost five years ago (CVE-2018-1160) is related to out-of-bounds reading and writing in Netatalk before version 3.1.12 and can also be used to execute arbitrary code on unpatched devices.
The following router models are reported to be affected devices: PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000 and TUF-AX5400.
“Please note, if you choose not to install a new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potentially unwanted intrusions. These services include WAN remote access, port forwarding, DDNS, VPN server, DMZ, and trigger port,” the developers warn.
In addition to installing patches, the company recommends creating separate passwords for the admin. Use at least eight characters (capital letters, numbers, and symbols) for your wireless network and the router itself, and avoid using the same password for multiple devices or services.
Asus has released a new firmware with cumulative security updates that fixed critical vulnerabilities in several router models. Now the manufacturer warns users to update devices as soon as possible or restrict their access to the Internet until patches are installed.