CVE-2019-11061 – CVE-2019-11061 is a critical authentication byp... (How to Fix)

Q: What is the severity of CVE-2019-11061?

CVE-2019-11061 has a CVSS score of 10.0 (CRITICAL). CVE-2019-11061 is a critical authentication bypass vulnerability in HG100 firmware that allows attackers on the same local network to control connected IoT devices without credentials. This affects all HG100 firmware versions up to 4.00.06, enabling complete device takeover.

📋 TL;DR

CVE-2019-11061 is a critical authentication bypass vulnerability in HG100 firmware that allows attackers on the same local network to control connected IoT devices without credentials. This affects all HG100 firmware versions up to 4.00.06, enabling complete device takeover.

💻 Affected Systems

Products:

ASUS HG100 Smart Home Gateway

Versions: All versions up to and including 4.00.06

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with the vulnerable firmware version; requires attacker to be on the same local network.

📦 What is this software?

Hg100 Firmware by Asus

View all CVEs affecting Hg100 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all IoT devices connected to the vulnerable HG100 gateway, allowing attackers to manipulate devices (lights, locks, sensors), steal data, or cause physical damage through malicious control.

🟠

Likely Case

Unauthorized control of smart home devices by attackers on the same network, potentially leading to privacy violations, property damage, or disruption of home automation systems.

🟢

If Mitigated

Limited impact if network segmentation isolates the HG100 from untrusted devices and external networks, though local attackers could still exploit if they gain network access.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub; exploitation requires only HTTP requests to the vulnerable endpoint without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 4.00.07 or later

Vendor Advisory: https://www.asus.com/support/FAQ/1044144/

Restart Required: Yes

Instructions:

1. Log into HG100 admin interface 2. Navigate to Firmware Update section 3. Download latest firmware from ASUS support site 4. Upload and apply update 5. Reboot device after update completes

🔧 Temporary Workarounds

Network Segmentation

all

Isolate HG100 and connected IoT devices on separate VLAN from general user devices

Access Control Lists

linux

Restrict HTTP access to HG100 management interface to trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Disconnect HG100 from network if not essential; use alternative smart home controller
Implement strict network segmentation to isolate HG100 from all untrusted devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version in HG100 web interface; if version is 4.00.06 or lower, device is vulnerable

Check Version:

curl -s http://[hg100-ip]/cgi-bin/get_firmware_version

Verify Fix Applied:

Confirm firmware version is 4.00.07 or higher in admin interface; test that /smarthome/devicecontrol endpoint now requires authentication

📡 Detection & Monitoring

Log Indicators:

Unauthenticated HTTP POST requests to /smarthome/devicecontrol endpoint
Multiple device control commands from unfamiliar IP addresses

Network Indicators:

HTTP traffic to HG100 port 80 from unexpected internal IPs
Unusual device control patterns in smart home network traffic

SIEM Query:

source="hg100-logs" AND (url="/smarthome/devicecontrol" AND NOT user_authenticated=true)

📊 Metadata

CVE ID: CVE-2019-11061

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-306

Published: August 29, 2019

Last Updated: November 21, 2024

🔗 References

http://surl.twcert.org.tw/5df6x Third Party Advisory
https://github.com/tim124058/ASUS-SmartHome-Exploit/ Exploit,Third Party Advisory
https://tvn.twcert.org.tw/taiwanvn/TVN-201906003 Exploit,Third Party Advisory
http://surl.twcert.org.tw/5df6x Third Party Advisory
https://github.com/tim124058/ASUS-SmartHome-Exploit/ Exploit,Third Party Advisory
https://tvn.twcert.org.tw/taiwanvn/TVN-201906003 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-11061, you might also want to check these: