Login Sign Up

CVE-2018-8826

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This critical vulnerability allows remote attackers to execute arbitrary code on affected ASUS routers without authentication. Attackers can potentially take full control of the router, affecting all ASUS RT-series router models listed with outdated firmware versions. This is a CVSS 9.8 vulnerability indicating near-maximum severity.

💻 Affected Systems

Products:
  • ASUS RT-AC51U
  • RT-AC58U
  • RT-AC66U
  • RT-AC1750
  • RT-ACRH13
  • RT-N12 D1
  • RT-AC52U B1
  • RT-AC1200
  • RT-N600
  • RT-AC55U
  • RT-AC55UHP
  • RT-AC86U
  • RT-AC2900
  • possibly other RT-series routers
Versions: Firmware before specified versions for each model (e.g., before 3.0.0.4.380.8228 for RT-AC51U)
Operating Systems: Router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All affected routers are vulnerable in default configuration. The vulnerability is in the web interface/management component.

📦 What is this software?

Rt Ac1200 Firmware by Asus

View all CVEs affecting Rt Ac1200 Firmware →

Rt Ac1750 Firmware by Asus

View all CVEs affecting Rt Ac1750 Firmware →

Rt Ac2900 Firmware by Asus

View all CVEs affecting Rt Ac2900 Firmware →

Rt Ac51u Firmware by Asus

View all CVEs affecting Rt Ac51u Firmware →

Rt Ac52u B1 Firmware by Asus

View all CVEs affecting Rt Ac52u B1 Firmware →

Rt Ac55u Firmware by Asus

View all CVEs affecting Rt Ac55u Firmware →

Rt Ac55uhp Firmware by Asus

View all CVEs affecting Rt Ac55uhp Firmware →

Rt Ac58u Firmware by Asus

View all CVEs affecting Rt Ac58u Firmware →

Rt Ac66u\+ Firmware by Asus

View all CVEs affecting Rt Ac66u\+ Firmware →

Rt Ac86u Firmware by Asus

View all CVEs affecting Rt Ac86u Firmware →

Rt Acrh13 Firmware by Asus

View all CVEs affecting Rt Acrh13 Firmware →

Rt N12 D1 Firmware by Asus

View all CVEs affecting Rt N12 D1 Firmware →

Rt N600 Firmware by Asus

View all CVEs affecting Rt N600 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attackers to intercept all network traffic, install persistent malware, pivot to internal network devices, and use the router as part of a botnet.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from network traffic, and installation of cryptocurrency miners or other malware.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access, though internal attackers could still exploit.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

While no public PoC is confirmed, the high CVSS score and remote unauthenticated nature make weaponization likely. Attackers need only network access to the router's management interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Model-specific: RT-AC51U: 3.0.0.4.380.8228+, RT-AC52U B1: 3.0.0.4.380.10446+, RT-AC55U: 3.0.0.4.382.50276+, RT-AC86U: 3.0.0.4.384.20648+

Vendor Advisory: https://www.asus.com/support/FAQ/1044144/

Restart Required: Yes

Instructions:

1. Identify your router model. 2. Visit ASUS support site for your model. 3. Download latest firmware version. 4. Log into router admin panel. 5. Navigate to Administration > Firmware Upgrade. 6. Upload and apply firmware file. 7. Router will reboot automatically.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevents external attackers from accessing router management interface

Restrict Management Access

all

Limit management interface access to specific IP addresses only

🧯 If You Can't Patch

  • Replace router with patched model or different vendor
  • Place router behind dedicated firewall with strict inbound rules

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin panel under System Log > General or Administration > Firmware Upgrade

Check Version:

No CLI command - check via web interface at http://router.asus.com

Verify Fix Applied:

Confirm firmware version matches or exceeds patched version for your model

📡 Detection & Monitoring

Log Indicators:

  • Unusual firmware modification attempts
  • Multiple failed login attempts followed by successful access
  • Unexpected process execution in router logs

Network Indicators:

  • Unusual outbound connections from router
  • DNS queries to suspicious domains
  • Unexpected port scans originating from router

SIEM Query:

source="router.log" AND (event="firmware_update" OR event="command_execution")

📊 Metadata

CVE ID: CVE-2018-8826
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: April 20, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-8826, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2019-11708 10.0

This vulnerability allows a compromised child process in Firefox/Thunderbird to trick the parent pro...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)