CVE-2021-32030

What are ASUS Lyra Mini and GT-AC2900?

ASUS Lyra Mini is a compact mesh Wi-Fi system designed for home and small office use, providing whole-home wireless coverage via a hub-and-node architecture. The ASUS ROG Rapture GT-AC2900 is a gaming-focused dual-band Wi-Fi router with advanced QoS and traffic management features. Both products are ASUS router products that reached end-of-life status — ASUS no longer provides firmware updates or security patches for these devices. The four-year gap between CVE publication (2021) and CISA KEV addition (2025) reflects the persistent long-tail exploitation of unpatched consumer networking equipment by botnets and threat actors targeting home and small business networks.

Overview

CVE-2021-32030 is an improper authentication vulnerability (CWE-287) in ASUS Lyra Mini and ASUS GT-AC2900 routers. The vulnerability allows an attacker to gain unauthorized access to the router's administrative interface without valid credentials. An unauthenticated attacker with network access to the router's web management port can bypass the authentication requirement and access administrator-level functions. CISA's required action explicitly notes that "the impacted products could be end-of-life (EoL) and/or end-of-service (EoS)" and that "users should discontinue product utilization" — no patch is available. CISA added this to KEV in June 2025 following confirmed exploitation in the wild.

Affected Versions

Technical Details

The router web management interface in these ASUS devices contains a flaw in the authentication mechanism that can be bypassed:

• Root cause: Improper authentication (CWE-287) — the web management interface fails to adequately verify authentication before granting access to administrative functions. Specific request patterns or authentication flow manipulation allow bypassing the login requirement
• Network access: The vulnerability is exploitable via the router's web management interface, which is typically accessible on the LAN side and, if remote management is enabled, from the WAN (internet) side
• Administrator access: Successful exploitation gives an attacker full administrative control of the router — the ability to change Wi-Fi passwords, modify DNS settings, enable remote management, add persistent backdoor accounts, and intercept network traffic
• No patch: Because both products are EOL, ASUS will not release firmware fixes. CISA's guidance is to discontinue use

Discovery

Identified through security research on ASUS router authentication mechanisms. The four-year delay between publication and CISA KEV addition is typical for consumer device vulnerabilities — exploitation becomes significant enough for KEV listing only when confirmed in-the-wild attacks are documented.

Exploitation Context

Router admin authentication bypasses are valuable for botnet operators (DDoS, proxy infrastructure), ISP credential theft (PPPoE credentials stored in router config), Wi-Fi password extraction, DNS hijacking for phishing, and network reconnaissance. EOL routers represent a significant long-tail exploitation risk because many users are unaware their device no longer receives security updates and may continue using the same device for years.

Remediation

1. Replace ASUS Lyra Mini and GT-AC2900 devices immediately — CISA's required action for EOL devices is discontinuation, not patching
2. Replace with a currently-supported router model from any manufacturer that actively receives firmware security updates
3. If immediate replacement is not possible: disable remote management (WAN-side access) and ensure the management interface is not accessible from the internet
4. Change all Wi-Fi passwords and router admin credentials after replacement, as they may have been compromised
5. Review your home or office network for signs of DNS hijacking — check the router's DNS server settings against your ISP's legitimate DNS servers