CVE-2018-18319
An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution
| Software | From | Fixed in |
|---|---|---|
| asuswrt-merlin_project / rt-ac5300_firmware | - | 380.70.x |
| asuswrt-merlin_project / rt_ac1900p_firmware | - | 380.70.x |
| asuswrt-merlin_project / rt-ac68u_firmware | - | 380.70.x |
| asuswrt-merlin_project / rt-ac68p_firmware | - | 380.70.x |
| asuswrt-merlin_project / rt-ac88u_firmware | - | 380.70.x |
| asuswrt-merlin_project / rt-ac66u_b1_firmware | - | 380.70.x |
| asuswrt-merlin_project / rt-ac56u_firmware | - | 380.70.x |
| asuswrt-merlin_project / rt-ac3200_firmware | - | 380.70.x |
| asuswrt-merlin_project / rt-ac68uf_firmware | - | 380.70.x |
| asuswrt-merlin_project / rt-ac87_firmware | - | 380.70.x |
| asuswrt-merlin_project / rt-ac3100_firmware | - | 380.70.x |
| asuswrt-merlin_project / rt-ac1900_firmware | - | 380.70.x |
| asuswrt-merlin_project / rt-ac86u_firmware | - | 380.70.x |
| asuswrt-merlin_project / rt-ac2900_firmware | - | 380.70.x |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime