Asus Asus

Do you want an email whenever new security vulnerabilities are reported in any Asus product?

Products by Asus Sorted by Most Security Vulnerabilities since 2018

Asuswrt3 vulnerabilities

Asus Firmware2 vulnerabilities

Asus Control Center2 vulnerabilities

Asus Gputweak Ii2 vulnerabilities

Myasus1 vulnerability

Asus Precision Touchpad1 vulnerability

Asus Rog Live Service1 vulnerability

Asus Rt Ac52u B1 Firmware1 vulnerability

Asus Rt N111 vulnerability

Asus Smarthome1 vulnerability

Asus Webstorage1 vulnerability

By the Year

In 2022 there have been 7 vulnerabilities in Asus with an average score of 8.0 out of ten. Last year Asus had 3 security vulnerabilities published. That is, 4 more vulnerabilities have already been reported in 2022 as compared to last year. However, the average CVE base score of the vulnerabilities in 2022 is greater by 1.16.

Year Vulnerabilities Average Score
2022 7 8.03
2021 3 6.87
2020 3 6.03
2019 2 9.30
2018 2 9.80

It may take a day or so for new Asus vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Asus Security Vulnerabilities

A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7

CVE-2022-26376 9.8 - Critical - August 05, 2022

A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.

Memory Corruption

ASUS Control Center API has a broken access control vulnerability

CVE-2022-26668 6.5 - Medium - June 20, 2022

ASUS Control Center API has a broken access control vulnerability. An unauthenticated remote attacker can call privileged API functions to perform partial system operations or cause partial disrupt of service.

AuthZ

ASUS Control Center is vulnerable to SQL injection

CVE-2022-26669 6.5 - Medium - June 20, 2022

ASUS Control Center is vulnerable to SQL injection. An authenticated remote attacker with general user privilege can inject SQL command to specific API parameters to acquire database schema or access data.

SQL Injection

ASUS WebStorage has a hardcoded API Token in the APP source code

CVE-2022-26672 9.8 - Critical - April 22, 2022

ASUS WebStorage has a hardcoded API Token in the APP source code. An unauthenticated remote attacker can use this token to establish connections with the server and carry out login attempts to general user accounts. A successful login to a general user account allows the attacker to access, modify or delete this user account information.

Use of Hard-coded Credentials

The System Diagnosis service of MyASUS before 3.1.2.0

CVE-2022-22814 9.8 - Critical - March 10, 2022

The System Diagnosis service of MyASUS before 3.1.2.0 allows privilege escalation.

Improper Privilege Management

ROG Live Services function for deleting temp files created by installation has an improper link resolution before file access vulnerability

CVE-2022-22262 7.7 - High - March 01, 2022

ROG Live Services function for deleting temp files created by installation has an improper link resolution before file access vulnerability. Since this function does not validate the path before deletion, an unauthenticated local attacker can create an unexpected symbolic link to system file path, to delete arbitrary system files and disrupt system service.

insecure temporary file

Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) in ASUS RT-AC52U_B1 3.0.0.4.380.10931

CVE-2021-46109 6.1 - Medium - January 03, 2022

Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) in ASUS RT-AC52U_B1 3.0.0.4.380.10931 can lead to a user session hijack.

XSS

ASUS ROG Armoury Crate Lite before 4.2.10

CVE-2021-40981 7.3 - High - September 27, 2021

ASUS ROG Armoury Crate Lite before 4.2.10 allows local users to gain privileges by placing a Trojan horse file in the publicly writable %PROGRAMDATA%\ASUS\GamingCenterLib directory.

DLL preloading

AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to trigger a stack-based buffer overflow

CVE-2021-28686 5.5 - Medium - April 08, 2021

AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to trigger a stack-based buffer overflow. This could enable low-privileged users to achieve Denial of Service via a DeviceIoControl.

Memory Corruption

AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to interact directly with physical memory (by calling one of several driver routines

CVE-2021-28685 7.8 - High - April 08, 2021

AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to interact directly with physical memory (by calling one of several driver routines that map physical memory into the virtual address space of the calling process) and to interact with MSR registers. This could enable low-privileged users to achieve NT AUTHORITY\SYSTEM privileges via a DeviceIoControl.

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL

CVE-2020-12695 7.5 - High - June 08, 2020

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Incorrect Default Permissions

Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices

CVE-2018-8878 5.3 - Medium - February 27, 2020

Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to acquire information on internal network devices' hostnames and MAC addresses by reading the custom_id variable on the blocking.asp page.

Information Disclosure

Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices

CVE-2018-8877 5.3 - Medium - February 27, 2020

Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to acquire information on internal network IP address ranges by reading the new_lan_ip variable on the error_page.htm page.

Information Disclosure

AsusPTPFilter.sys on Asus Precision TouchPad 11.0.0.25 hardware has a Pool Overflow associated with the \\

CVE-2019-10709 9.8 - Critical - September 04, 2019

AsusPTPFilter.sys on Asus Precision TouchPad 11.0.0.25 hardware has a Pool Overflow associated with the \\.\AsusTP device, leading to a DoS or potentially privilege escalation via a crafted DeviceIoControl call.

Permissions, Privileges, and Access Controls

A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices

CVE-2019-11063 8.8 - High - August 29, 2019

A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Missing Authentication for Critical Function

An issue was discovered in AsusWRT before 3.0.0.4.384_10007

CVE-2018-5999 9.8 - Critical - January 22, 2018

An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails.

An issue was discovered in AsusWRT before 3.0.0.4.384_10007

CVE-2018-6000 9.8 - Critical - January 22, 2018

An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.

AuthZ

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.