CVE-2022-25597

ASUS RT-AC86U’s LPD service has insufficient filtering for special characters in the user request, which allows an unauthenticated LAN attacker to perform command injection attack, execute arbitrary commands and disrupt or terminate service.

Published: Apr 7, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-25597
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
asus / rt-ac86u_firmware	3.0.0.4.386.45956	3.0.0.4.386.45956.x

https://www.twcert.org.tw/tw/cp-132-5794-09c33-1.html

Vulnerability Database

289,871

CVE-2022-25597