CVE-2021-32030 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2021-32030?

CVE-2021-32030 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to bypass authentication on ASUS GT-AC2900 and Lyra Mini routers by sending specially crafted input with null bytes. This grants unauthorized access to the administrator interface, potentially leading to complete device compromise. All users of affected ASUS router models with vulnerable firmware versions are impacted.

📋 TL;DR

This vulnerability allows unauthenticated attackers to bypass authentication on ASUS GT-AC2900 and Lyra Mini routers by sending specially crafted input with null bytes. This grants unauthorized access to the administrator interface, potentially leading to complete device compromise. All users of affected ASUS router models with vulnerable firmware versions are impacted.

💻 Affected Systems

Products:

ASUS GT-AC2900
ASUS Lyra Mini

Versions: GT-AC2900: before 3.0.0.4.386.42643; Lyra Mini: before 3.0.0.4_384_46630

Operating Systems: Router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All unsupported (EOL) versions of Lyra Mini are also affected. Default configurations with remote access enabled are vulnerable.

📦 What is this software?

Gt Ac2900 Firmware by Asus

View all CVEs affecting Gt Ac2900 Firmware →

Lyra Mini Firmware by Asus

View all CVEs affecting Lyra Mini Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router takeover allowing attacker to reconfigure network settings, intercept traffic, install malware, pivot to internal network devices, and maintain persistent access.

🟠

Likely Case

Unauthorized access to router admin panel enabling network configuration changes, DNS hijacking, credential theft, and potential lateral movement to connected devices.

🟢

If Mitigated

Limited impact if remote access features are disabled and proper network segmentation prevents router exposure to untrusted networks.

🌐 Internet-Facing: HIGH - Routers with WAN/remote access enabled are directly exploitable from the internet without authentication.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, but requires local network presence.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit involves sending authentication requests with null byte values that bypass auth_check function. Public proof-of-concept available in advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GT-AC2900: 3.0.0.4.386.42643 or later; Lyra Mini: 3.0.0.4_384_46630 or later

Vendor Advisory: https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-Gaming-Routers/RT-AC2900/HelpDesk_BIOS/

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to Firmware Upgrade section. 3. Download latest firmware from ASUS support site. 4. Upload and install firmware. 5. Reboot router after installation completes.

🔧 Temporary Workarounds

Disable Remote Access

all

Disable WAN/remote management features to prevent external exploitation

Login to router admin -> Advanced Settings -> Administration -> System -> Disable 'Enable Web Access from WAN'

Network Segmentation

all

Place router on isolated network segment with strict firewall rules

Configure firewall to block external access to router admin ports (typically 80, 443, 8443)

🧯 If You Can't Patch

Immediately disable all remote access/WAN management features in router settings
Implement network-level controls to restrict access to router admin interface from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Information or Firmware Version section

Check Version:

Login to router admin panel and navigate to System Status or Firmware Information page

Verify Fix Applied:

Confirm firmware version matches or exceeds patched versions: GT-AC2900 >= 3.0.0.4.386.42643, Lyra Mini >= 3.0.0.4_384_46630

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access to admin URLs
Authentication bypass attempts with unusual parameters
Multiple failed login attempts followed by successful admin access

Network Indicators:

External IP addresses accessing router admin interface
Unusual traffic patterns to router management ports from internet

SIEM Query:

source_ip=external AND (dest_port=80 OR dest_port=443 OR dest_port=8443) AND (url_path CONTAINS "/login.cgi" OR url_path CONTAINS "/apply.cgi") AND response_code=200

📊 Metadata

CVE ID: CVE-2021-32030

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: May 6, 2021

Last Updated: November 10, 2025

🔗 References

https://github.com/atredispartners/advisories/blob/master/ATREDIS-2020-0010.md Broken Link,Exploit,Third Party Advisory
https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-Gaming-Routers/RT-AC2900/HelpDesk_BIOS/ Product
https://www.asus.com/us/supportonly/lyra%20mini/helpdesk_bios/ Product
https://www.atredis.com/blog/2021/4/30/asus-authentication-bypass Exploit
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2020-0010.md Broken Link,Exploit,Third Party Advisory
https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-Gaming-Routers/RT-AC2900/HelpDesk_BIOS/ Product
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32030 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32030, you might also want to check these: