CVE-2021-37315 – This vulnerability allows remote attackers to w... (How to Fix)

Q: What is the severity of CVE-2021-37315?

CVE-2021-37315 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows remote attackers to write arbitrary files on ASUS RT-AC68U routers via improper input sanitization in Cloud Disk's COPY and MOVE operations. Attackers can achieve remote code execution by writing malicious files to critical locations. All users of affected firmware versions are vulnerable.

📋 TL;DR

This vulnerability allows remote attackers to write arbitrary files on ASUS RT-AC68U routers via improper input sanitization in Cloud Disk's COPY and MOVE operations. Attackers can achieve remote code execution by writing malicious files to critical locations. All users of affected firmware versions are vulnerable.

💻 Affected Systems

Products:

ASUS RT-AC68U router

Versions: Firmware versions before 3.0.0.4.386.41634

Operating Systems: ASUSWRT firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Cloud Disk feature to be enabled, but this is a standard feature that may be enabled by default in some configurations.

📦 What is this software?

Rt Ac68u Firmware by Asus

View all CVEs affecting Rt Ac68u Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise leading to persistent backdoor installation, credential theft, network traffic interception, and lateral movement to connected devices.

🟠

Likely Case

Remote code execution allowing attacker to modify router configuration, intercept traffic, or use router as pivot point for further attacks.

🟢

If Mitigated

Limited impact if Cloud Disk feature is disabled and router is not internet-facing.

🌐 Internet-Facing: HIGH - Remote attackers can exploit this without authentication if router's web interface is exposed to internet.

🏢 Internal Only: HIGH - Even internally, any network user could potentially exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available in referenced blog posts. Exploitation requires network access to router's web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.0.4.386.41634 or later

Vendor Advisory: https://www.asus.com/support/FAQ/1048284/

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to Administration > Firmware Upgrade. 3. Upload firmware version 3.0.0.4.386.41634 or later. 4. Wait for upgrade to complete. 5. Router will automatically restart.

🔧 Temporary Workarounds

Disable Cloud Disk

all

Turn off the vulnerable Cloud Disk feature to prevent exploitation

Navigate to USB Application > Cloud Disk in router web interface and disable

Restrict Web Interface Access

all

Limit access to router's web interface to trusted IP addresses only

Set firewall rules to restrict access to router IP on ports 80/443

🧯 If You Can't Patch

Disable Cloud Disk feature immediately via router web interface
Ensure router web interface is not exposed to internet and restrict internal network access

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under Administration > Firmware Upgrade. If version is below 3.0.0.4.386.41634, you are vulnerable.

Check Version:

curl -s http://router.asus.com/Advanced_System_Content.asp | grep 'firmware_version'

Verify Fix Applied:

Confirm firmware version is 3.0.0.4.386.41634 or higher in Administration > Firmware Upgrade page.

📡 Detection & Monitoring

Log Indicators:

Unusual file copy/move operations in Cloud Disk logs
Unexpected file writes to system directories
Suspicious POST requests to Cloud Disk endpoints

Network Indicators:

Unusual traffic patterns from router to external IPs
Unexpected outbound connections from router

SIEM Query:

source="router.log" AND ("cloud_disk" OR "copy" OR "move") AND (status="200" OR status="success")

📊 Metadata

CVE ID: CVE-2021-37315

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-706

Published: February 3, 2023

Last Updated: March 26, 2025

🔗 References

https://robertchen.cc/blog/2021/03/31/asus-rce Exploit,Mitigation,Third Party Advisory
https://robertchen.cc/blog/2021/03/31/asus-rce Exploit,Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37315, you might also want to check these: