OS Command Injection in ASUS RT-AX55 3.0.0.4.386.51598 QoS BW Rulelist (CVE-2023-39780): CVE-2023-39780 September 2023

On ASUS RT-AX55 3.0.0.4.386.51598 devices, authenticated attackers can perform OS command injection via the /start_apply.htm qos_bw_rulelist parameter. NOTE: for the similar "token-generated module" issue, see CVE-2023-41345; for the similar "token-refresh module" issue, see CVE-2023-41346; for the similar "check token module" issue, see CVE-2023-41347; and for the similar "code-authentication module" issue, see CVE-2023-41348.

Known Exploited Vulnerability

This ASUS RT-AX55 Routers OS Command Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. ASUS RT-AX55 devices contain a OS command injection vulnerability that could allow a remote, authenticated attacker to execute arbitrary commands.

The following remediation steps are recommended / required by June 23, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weakness Type

What is a Shell injection Vulnerability?

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVE-2023-39780 has been classified to as a Shell injection vulnerability or weakness.

Products Associated with CVE-2023-39780

stack.watch emails you whenever new vulnerabilities are published in Asus Rt Ax55 Firmware or Asus Rt Ax55. Just hit a watch button to start following.

Affected Versions

Exploit Probability

EPSS

42.66%

Percentile

97.43%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.