What does the company recommend to users to secure their devices?
ASUS has released a firmware update that addresses a vulnerability that affects seven router models at once and allows remote attackers to gain access to devices.
A critical vulnerability reported as CVE-2024-3080 (CVSS assessment v3. 1: 9.8) allows unauthorized remote users to bypass authentication and take control of the device.
The vulnerability affects the following ASUS router models:
ASUS recommends updating the firmware of the above routers to the latest version available on the company's download portal. Instructions for updating the firmware can be found on the FAQ page.
For those who cannot update the firmware immediately, it is recommended to use strong passwords for both accounts and Wi-Fi networks themselves — more than 10 characters long. The company also advises disabling access to the administrative panel via the Internet, remote access from WAN, port forwarding, DDNS, VPN server, DMZ, and port switcher.
The same service pack addresses the buffer overflow vulnerability CVE-2024-3079 (CVSS v3. 1: 7.2), which requires administrative access.
In addition, Taiwan's CERT reported vulnerability CVE-2024-3912 (CVSS v3. 1: 9.8), which allows unauthorized remote users to execute system commands on the device. This vulnerability affects many ASUS router models, but not all of them will receive security updates due to the end of the support period.
Solutions for the CVE-2024-3912 vulnerability for specific router models are listed below:
ASUS has also released an update to its proprietary Download Master utility, which is used to manage and upload files directly to a USB device connected to the router via torrents, HTTP or FTP.
The new version of Download Master 3.1.0.114 addresses five medium - and high-risk vulnerabilities related to arbitrary file loading, OS command injection, buffer overflow, reflected and stored XSS.
Although these vulnerabilities are not as critical as CVE-2024-3080, users are advised to update the utility to version 3.1.0.114 or higher for optimal security.
ASUS has released a firmware update that addresses a vulnerability that affects seven router models at once and allows remote attackers to gain access to devices.
A critical vulnerability reported as CVE-2024-3080 (CVSS assessment v3. 1: 9.8) allows unauthorized remote users to bypass authentication and take control of the device.
The vulnerability affects the following ASUS router models:
- XT8 (ZenWiFi AX XT8 — - tri-band Wi-Fi 6 system with speeds up to 6600 Mbps, support for AiMesh, AiProtection Pro, seamless roaming and parental control.
- XT8_V2 (ZenWiFi AX XT8 V2 — is an updated version of XT8 with improved performance and stability.
- The RT-AX88U is a dual-band WiFi 6 router with up to 6000 Mbps speeds, 8 LAN ports, AiProtection Pro, and adaptive QoS for gaming and streaming.
- The RT-AX58U is a dual-band WiFi 6 router with speeds up to 3000 Mbps and supports AiMesh, AiProtection Pro and MU-MIMO for efficient multi-user connectivity.
- RT-AX57 is a dual-band WiFi 6 router for basic needs with speeds up to 3000 Mbps, AiMesh support and basic parental control.
- RT-AC86U is a dual-band WiFi 5 router with speeds up to 2900 Mbps, AiProtection, adaptive QoS and game acceleration.
- RT-AC68U is a dual-band WiFi 5 router with speeds up to 1900 Mbps, support for AiMesh, AiProtection and powerful parental control.
ASUS recommends updating the firmware of the above routers to the latest version available on the company's download portal. Instructions for updating the firmware can be found on the FAQ page.
For those who cannot update the firmware immediately, it is recommended to use strong passwords for both accounts and Wi-Fi networks themselves — more than 10 characters long. The company also advises disabling access to the administrative panel via the Internet, remote access from WAN, port forwarding, DDNS, VPN server, DMZ, and port switcher.
The same service pack addresses the buffer overflow vulnerability CVE-2024-3079 (CVSS v3. 1: 7.2), which requires administrative access.
In addition, Taiwan's CERT reported vulnerability CVE-2024-3912 (CVSS v3. 1: 9.8), which allows unauthorized remote users to execute system commands on the device. This vulnerability affects many ASUS router models, but not all of them will receive security updates due to the end of the support period.
Solutions for the CVE-2024-3912 vulnerability for specific router models are listed below:
- DSL-N17U, DSL-N55U_C1, DSL-N55U_D1, DSL-N66U. Update the firmware to version 1.1.2.3_792 or higher.
- DSL-N12U_C1, DSL-N12U_D1, DSL-N14U, DSL-N14U_B1. Update the firmware to version 1.1.2.3_807 or higher.
- DSL-N16, DSL-AC51, DSL-AC750, DSL-AC52U, DSL-AC55U, DSL-AC56U. Update the firmware to version 1.1.2.3_999 or higher.
- DSL-N10_C1, DSL-N10_D1, DSL-N10P_C1, DSL-N12E_C1, DSL-N16P, DSL-N16U, DSL-AC52, DSL-AC55. Devices will no longer receive updates.We recommend that you physically replace them with a modern equivalent.
ASUS has also released an update to its proprietary Download Master utility, which is used to manage and upload files directly to a USB device connected to the router via torrents, HTTP or FTP.
The new version of Download Master 3.1.0.114 addresses five medium - and high-risk vulnerabilities related to arbitrary file loading, OS command injection, buffer overflow, reflected and stored XSS.
Although these vulnerabilities are not as critical as CVE-2024-3080, users are advised to update the utility to version 3.1.0.114 or higher for optimal security.
