ASUS has issued a warning to users regarding two vulnerabilities affecting several of its routers. These security flaws, identified as CVE-2024-12912 and CVE-2024-13062, could allow attackers to execute arbitrary commands on vulnerable devices.
The vulnerabilities are linked to the AiCloud feature in the routers’ firmware. According to ASUS, the issues stem from improper input validation, enabling authenticated attackers to initiate remote command execution. Both vulnerabilities have been assigned a CVSS score of 7.2, categorizing them as high-severity threats.
CVE-2024-12912 exploits insufficient input validation in the AiCloud service, granting attackers the ability to execute arbitrary commands. Similarly, CVE-2024-13062 provides a comparable attack vector through inadequate filtering of input data.
Users of ASUS routers face significant risks if firmware updates are not promptly installed. To address these threats, ASUS has released updated firmware versions: 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102.
For users unable to update immediately, ASUS recommends the following mitigation measures:
- Set Strong Passwords: Use unique passwords of at least 10 characters, including uppercase and lowercase letters, numbers, and special symbols.
- Enable AiCloud Password Protection: Activate password safeguards to prevent unauthorized access to the AiCloud feature.
- Disable External Services: Turn off unused features such as remote access, port forwarding, DDNS, VPN server, DMZ, and FTP.
ASUS underscores the critical importance of keeping firmware up to date and adhering to security best practices. The company also encourages users to report any discovered vulnerabilities through its dedicated security issue disclosure page.
