CVE-2018-9285
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary operating system commands on affected ASUS routers via command injection in the pingCNT and destIP fields. Attackers can gain full control of the device without authentication. Users of specific ASUS router models with outdated firmware are affected.
💻 Affected Systems
- ASUS RT-AC66U
- RT-AC68U
- RT-AC86U
- RT-AC88U
- RT-AC1900
- RT-AC2900
- RT-AC3100
- RT-N18U
- RT-AC87U
- RT-AC3200
- RT-AC5300
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of router allowing attacker to intercept all network traffic, install persistent malware, pivot to internal network devices, and use router as botnet node.
Likely Case
Router takeover leading to DNS hijacking, credential theft from network traffic, and installation of cryptocurrency miners or other malware.
If Mitigated
Limited impact if router is behind firewall with restricted WAN access and regular firmware updates are applied.
🎯 Exploit Status
Multiple public exploit scripts available. Exploitation requires sending crafted HTTP POST request to /apply.cgi with malicious SystemCmd parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varies by model: RT-AC66U/68U/86U/88U/1900/2900/3100: 3.0.0.4.384_10007+, RT-N18U: 3.0.0.4.382.39935+, RT-AC87U/3200: 3.0.0.4.382.50010+, RT-AC5300: 3.0.0.4.384.20287+
Vendor Advisory: https://www.asus.com/support/FAQ/1039524/
Restart Required: Yes
Instructions:
1. Log into router web interface. 2. Navigate to Administration > Firmware Upgrade. 3. Check for updates or manually download latest firmware from ASUS support site. 4. Upload and apply firmware update. 5. Router will reboot automatically.
🔧 Temporary Workarounds
Disable remote administration
allPrevent external access to router web interface
In router web interface: Advanced Settings > Administration > System > Enable Web Access from WAN: No
Restrict web interface access
allLimit web interface to specific IP addresses if remote access required
In router web interface: Advanced Settings > Administration > System > Allow only specified IP addresses: Yes, then add trusted IPs
🧯 If You Can't Patch
- Replace affected router with supported model
- Place router behind firewall with strict inbound rules blocking ports 80/443 from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check current firmware version in router web interface under Administration > Firmware Upgrade and compare with patched versions listed above.Check Version:
curl -s http://router-ip/Main_Analysis_Content.asp | grep -i firmware || ssh admin@router-ip 'nvram get buildno'Verify Fix Applied:
Confirm firmware version matches or exceeds patched version. Test by attempting to access vulnerable endpoint with test payload (in controlled environment).📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /apply.cgi with SystemCmd parameter containing shell metacharacters
- Unusual command execution in router logs
- Multiple failed login attempts followed by successful command execution
Network Indicators:
- Unusual outbound connections from router to suspicious IPs
- DNS queries to malicious domains from router
- Unexpected traffic patterns from router
SIEM Query:
source="router_logs" AND (url="/apply.cgi" AND (method="POST" AND (param="SystemCmd" AND value="*;*" OR value="*|*" OR value="*`*")))🔗 References
- http://packetstormsecurity.com/files/160049/ASUS-TM-AC1900-Arbitrary-Command-Execution.html
- https://fortiguard.com/zeroday/FG-VD-17-216
- https://www.fortinet.com/blog/threat-research/fortiguard-labs-discovers-vulnerability-in-asus-router.html
- http://packetstormsecurity.com/files/160049/ASUS-TM-AC1900-Arbitrary-Command-Execution.html
- https://fortiguard.com/zeroday/FG-VD-17-216
- https://www.fortinet.com/blog/threat-research/fortiguard-labs-discovers-vulnerability-in-asus-router.html
