CVE-2023-39780 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2023-39780?

CVE-2023-39780 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated attackers on ASUS RT-AX55 routers to execute arbitrary operating system commands by injecting malicious input into the qos_bw_rulelist parameter of the /start_apply.htm endpoint. Attackers with valid credentials can gain full control of affected devices. Only ASUS RT-AX55 routers running specific firmware versions are affected.

📋 TL;DR

This vulnerability allows authenticated attackers on ASUS RT-AX55 routers to execute arbitrary operating system commands by injecting malicious input into the qos_bw_rulelist parameter of the /start_apply.htm endpoint. Attackers with valid credentials can gain full control of affected devices. Only ASUS RT-AX55 routers running specific firmware versions are affected.

💻 Affected Systems

Products:

ASUS RT-AX55

Versions: 3.0.0.4.386.51598

Operating Systems: ASUSWRT firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with web administration interface accessible and using the vulnerable firmware version. Authentication is required but default credentials may be in use.

📦 What is this software?

Rt Ax55 Firmware by Asus

View all CVEs affecting Rt Ax55 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, intercept all network traffic, or use the device as part of a botnet.

🟠

Likely Case

Attackers with stolen or default credentials gain administrative access to modify device settings, intercept traffic, or deploy malware to connected devices.

🟢

If Mitigated

With proper authentication controls and network segmentation, impact is limited to the router itself without lateral movement to other systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Multiple proof-of-concept examples are available in public repositories. Exploitation requires authentication but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check ASUS support for latest firmware

Vendor Advisory: https://www.asus.com/support/

Restart Required: Yes

Instructions:

1. Log into ASUS router web interface. 2. Navigate to Administration > Firmware Upgrade. 3. Check for updates or manually download latest firmware from ASUS support site. 4. Upload and apply firmware update. 5. Reboot router after update completes.

🔧 Temporary Workarounds

Disable Remote Administration

all

Prevents external attackers from accessing the vulnerable web interface

Navigate to Administration > System > Enable Web Access from WAN: Set to 'No'

Change Default Credentials

all

Mitigates risk from attackers using default or weak credentials

Navigate to Administration > System > Change Router Password

🧯 If You Can't Patch

Segment router on isolated network segment with strict firewall rules
Implement network monitoring for unusual outbound connections from router

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under Administration > Firmware Upgrade

Check Version:

Login to router web interface and check firmware version in Administration section

Verify Fix Applied:

Verify firmware version is newer than 3.0.0.4.386.51598 and test that command injection no longer works

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unusual outbound connections from router
Traffic to known malicious IPs from router

SIEM Query:

source="router_logs" AND ("start_apply.htm" OR "qos_bw_rulelist") AND command="*"

📊 Metadata

CVE ID: CVE-2023-39780

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: September 11, 2023

Last Updated: October 31, 2025

🔗 References

https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/1/EN.md Exploit,Third Party Advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/2/EN.md Exploit,Third Party Advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/3/EN.md Exploit,Third Party Advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/4/EN.md Exploit,Third Party Advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/5/EN.md Exploit,Third Party Advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/6/EN.md Exploit,Third Party Advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/1/EN.md Exploit,Third Party Advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/2/EN.md Exploit,Third Party Advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/3/EN.md Exploit,Third Party Advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/4/EN.md Exploit,Third Party Advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/5/EN.md Exploit,Third Party Advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/6/EN.md Exploit,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-39780 US Government Resource
https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39780, you might also want to check these: