CVE-2023-39780

What is the ASUS RT-AX55?

The ASUS RT-AX55 is a Wi-Fi 6 (802.11ax) home and small-office router designed for dual-band wireless connectivity with speeds up to 3000 Mbps. Like most modern SOHO routers, it includes a web-based management interface accessible over the local network (and optionally from the internet via remote management features). ASUS routers are widely deployed globally and have been repeatedly targeted by botnet operators — control of a router gives attackers the ability to intercept, redirect, or monitor all network traffic passing through the device.

Overview

CVE-2023-39780 is an OS command injection vulnerability in the ASUS RT-AX55 router's management interface that allows an authenticated attacker with network access to execute arbitrary operating system commands on the device. The vulnerability was disclosed in September 2023 but added to the CISA KEV catalog significantly later in June 2025, reflecting active exploitation observed in the wild — consistent with campaigns by botnet operators incorporating older router vulnerabilities into their toolkits.

Affected Versions

ASUS issued a firmware update addressing CVE-2023-39780 (along with related CVE-2023-41346). Users should check the current firmware version in the router management interface and compare it with the latest available on ASUS's support page.

Technical Details

The vulnerability is an OS command injection (CWE-78) in one or more management interface endpoints of the RT-AX55. When the router processes certain user-supplied inputs (such as configuration parameters handled by the router's web server) without adequate sanitization, attacker-controlled data is passed directly to a shell command. By injecting shell metacharacters or command separators, an authenticated attacker can append arbitrary commands that execute on the underlying Linux-based router firmware with root privileges.

The authentication requirement (PR:L) means the attacker must have valid router credentials — either the default admin password (many users never change this), credentials obtained through other means (password reuse, brute force), or credentials from a companion authentication bypass vulnerability.

Discovery

The vulnerability was identified and published in September 2023. The CISA KEV addition in June 2025 reflects that active exploitation against deployed devices was confirmed approximately 21 months after initial disclosure — a common pattern for router vulnerabilities, which remain in the field with unpatched firmware for years.

Exploitation Context

ASUS routers have been systematically targeted by botnet campaigns including Mirai variants, Cyclops Blink (attributed to Sandworm/Russia's GRU), and various other persistent botnet operators. When router management interfaces are exposed to the internet (either directly or through ASUS's remote management features), credential-based attacks combined with command injection vulnerabilities enable full device compromise without physical access. Compromised routers are used for traffic interception, DDoS infrastructure, proxy networks, and as pivot points into the LAN behind the router.

The 21-month gap between disclosure and KEV addition is consistent with ongoing exploitation of devices running outdated firmware rather than initial outbreak exploitation.

Remediation

1. Update firmware immediately — go to the router management interface (typically 192.168.1.1 or 192.168.50.1), navigate to Administration → Firmware Upgrade, or download the latest firmware from the ASUS RT-AX55 support page.
2. Change the default admin password — set a strong, unique password immediately if not already done; many router compromises exploit unchanged default credentials.
3. Disable remote management — if WAN-side access to the management interface is not required, disable it (Advanced Settings → Administration → System → Enable Web Access from WAN → No).
4. Enable ASUS AiProtection if available — provides additional network-level threat detection.
5. Enable automatic firmware updates if the feature is available in your firmware version, to reduce the window between patch release and application.
6. If compromise is suspected: perform a factory reset and reconfigure from scratch using a strong password; a compromised router may have modified its firmware to survive normal resets, in which case a JTAG or TFTP firmware flash may be needed.