SQL Injection Flaw in ASUS RT-AC68U Router Firmware
CVE-2021-37316

7.5HIGH

Key Information:

Vendor: Asus
Status: Rt-ac68u Firmware
Vendor: CVE Published:; 3 February 2023

Summary

The ASUS RT-AC68U router has an SQL injection vulnerability in its Cloud Disk feature, present in firmware versions prior to 3.0.0.4.386.41634. This flaw allows remote attackers to execute unauthorized SQL queries, which can lead to the exposure of sensitive information, including user credentials stored in the /etc/shadow file. Such a compromise can significantly undermine the privacy and security of the users relying on this device for their network connectivity.

References

https://robertchen.cc/blog/2021/03/31/asus-rce

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 3, 2023
Vulnerability Reserved
Jul 21, 2021