Skip to main content

Router

5 CVEs product

Monthly

CVE-2026-13385 CRITICAL Act Now

Remote command execution in certain ASUS router firmware allows a network man-in-the-middle attacker to force the router to download and run arbitrary commands from a spoofed update/download server. The root cause is a failure to validate both the integrity check value (CWE-354) and the TLS server certificate, so an attacker positioned in the network path can impersonate a legitimate ASUS server. No public exploit identified at time of analysis and the flaw is not in CISA KEV; ASUS self-reported it and rates it critical (CVSS 4.0 9.5), though exploitation requires the attacker to first achieve a MITM position (AT:P).

Information Disclosure Router
NVD
CVSS 4.0
9.5
EPSS
0.1%
CVE-2026-11851 MEDIUM This Month

SQL injection in the web management interface of multiple ASUS router models enables a remotely authenticated, high-privilege user to exfiltrate confidential information by sending crafted requests that bypass the router's existing input validation. The vulnerability is limited to read-only data disclosure (no integrity or availability impact) and requires prior administrative authentication, significantly constraining real-world exploitability. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 5.9 reflects the high complexity and authentication prerequisites.

SQLi Router
NVD
CVSS 4.0
5.9
EPSS
0.3%
CVE-2025-15101 HIGH NEWS This Week

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Web management interface of ASUS router models that allows an unauthenticated attacker to perform actions with the privileges of an authenticated administrator, potentially including arbitrary system command execution. The vulnerability affects ASUS router products across multiple versions due to insufficient CSRF token validation in the web interface. While no CVSS score or EPSS data is currently available, the ability to execute system commands on a network-critical device represents a critical severity threat.

CSRF Router
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2022-27668 CRITICAL POC Act Now

Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass SAP Netweaver As Abap Netweaver As Abap Krnl64nuc Netweaver As Abap Krnl64uc +1
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2014-0984 MEDIUM POC This Month

The passwordCheck function in SAP Router 721 patch 117, 720 patch 411, 710 patch 029, and earlier terminates validation of a Route Permission Table entry password upon encountering the first. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Privilege Escalation SAP Router
NVD Exploit-DB VulDB
CVSS 2.0
4.3
EPSS
9.0%
EPSS 0% CVSS 9.5
CRITICAL Act Now

Remote command execution in certain ASUS router firmware allows a network man-in-the-middle attacker to force the router to download and run arbitrary commands from a spoofed update/download server. The root cause is a failure to validate both the integrity check value (CWE-354) and the TLS server certificate, so an attacker positioned in the network path can impersonate a legitimate ASUS server. No public exploit identified at time of analysis and the flaw is not in CISA KEV; ASUS self-reported it and rates it critical (CVSS 4.0 9.5), though exploitation requires the attacker to first achieve a MITM position (AT:P).

Information Disclosure Router
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

SQL injection in the web management interface of multiple ASUS router models enables a remotely authenticated, high-privilege user to exfiltrate confidential information by sending crafted requests that bypass the router's existing input validation. The vulnerability is limited to read-only data disclosure (no integrity or availability impact) and requires prior administrative authentication, significantly constraining real-world exploitability. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 5.9 reflects the high complexity and authentication prerequisites.

SQLi Router
NVD
EPSS 0% CVSS 8.5
HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Web management interface of ASUS router models that allows an unauthenticated attacker to perform actions with the privileges of an authenticated administrator, potentially including arbitrary system command execution. The vulnerability affects ASUS router products across multiple versions due to insufficient CSRF token validation in the web interface. While no CVSS score or EPSS data is currently available, the ability to execute system commands on a network-critical device represents a critical severity threat.

CSRF Router
NVD VulDB
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass SAP Netweaver As Abap +3
NVD
EPSS 9% CVSS 4.3
MEDIUM POC This Month

The passwordCheck function in SAP Router 721 patch 117, 720 patch 411, 710 patch 029, and earlier terminates validation of a Route Permission Table entry password upon encountering the first. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Privilege Escalation SAP Router
NVD Exploit-DB VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy