Skip to main content

ASUS Router App CVE-2026-12960

| EUVDEUVD-2026-41482 MEDIUM
Improper Export of Android Application Components (CWE-926)
2026-07-03 ASUS GHSA-6vqf-8qmc-rjr8
6.0
CVSS 4.0 · Vendor: ASUS
Share

Severity by source

Vendor (ASUS) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Local vector as exploitation requires co-installed malicious app; PR:N because attacking app needs no special privileges; S:C and C:H reflecting potential router credential exposure beyond the app boundary.

3.1 AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (ASUS).

CVSS VectorVendor: ASUS

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 03:01 vuln.today
CVE Published
Jul 03, 2026 - 02:00 cve.org
MEDIUM 6.0

DescriptionCVE.org

An Improper Export of Android Application Components vulnerability in ASUS Router App allows a third-party application on the same device to send a crafted Intent that causes ASUS Router App to open an specified URL. Refer to the ' Security Update for ASUS Router Android App ' section on the ASUS Security Advisory for more information.

AnalysisAI

Improper export of Android application components in the ASUS Router App enables any co-installed third-party application on the same Android device to send a crafted Intent that forces the ASUS Router App to navigate to an attacker-specified URL. The flaw, classified as CWE-926, allows an attacker-controlled application to abuse the exposed component as an open redirect, potentially rendering phishing content or harvesting router management credentials within the app's trusted interface context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Install malicious app on victim device
Delivery
Send crafted Android Intent to exported ASUS Router App component
Exploit
ASUS Router App opens attacker-controlled URL in app context
Execution
Render phishing or credential-harvesting content within trusted app UI
Impact
Exfiltrate router credentials or sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires a malicious third-party application to be installed on the same Android device as the ASUS Router App - remote network exploitation is not possible given the AV:L attack vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.0 with vector AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N characterizes this as a local-vector, low-complexity attack with no impact on the ASUS Router App itself (VC/VI/VA all N), but high subsequent-system confidentiality impact (SC:H), reflecting the potential to expose router credentials or sensitive management data through URL manipulation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor publishes a malicious Android application - disguised as a utility, game, or productivity tool - to a third-party app store or distributes it via social engineering. Once installed on the same Android device running the ASUS Router App, the malicious app sends a crafted Android Intent to the improperly exported component, causing the ASUS Router App to open an attacker-controlled URL. …
Remediation The primary remediation is to update the ASUS Router App to the patched version available through the Google Play Store, as directed by the ASUS Security Advisory at https://www.asus.com/security-advisory/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12960 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy