In a statement, the company noted that, “If you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions,” which includes remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger.
The firmware update addresses no fewer than nine CVEs, including three from 2023, five from 2022, and one dating back as far as 2018. A number of other vulnerabilities and issues were also fixed as part of the motion.
Asus Wi-Fi router security fix
The routers in question include: GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.
The most serious vulnerabilities are among the oldest, including the 2018 entry which could be exploited to gain arbitrary code execution, and CVE-2022-26376 which could see unauthorized parties execute memory corruption attacks. Both were awarded a ‘critical’ score of 9.8 under NIST’s National Vulnerability Database.
This comes precisely one month after the company disclosed an error in the configuration files for some of its routers which saw users’ connections interrupted – a fix was automatically issued and affected users did not need to apply a security update (though some reported rebooting the device was necessary).
The best advice comes in the form of staying on top of security fixes for any device connected to the Internet to prevent attackers from gaining unwanted access. Asus’s firmware updates are available on its support page.
Like other router manufacturers, the Taiwanese company stresses the importance of setting up separate passwords for the wireless network and the router admin panel.