cbcvebase.
CVE-2021-32030
published 2021-05-06

CVE-2021-32030: The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 and Lyra Mini before 3.0.0.4_384_46630 allows authentication bypass when…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-06-23
Exploited in the wild
EPSS
99.35%
99.9th percentile
The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 and Lyra Mini before 3.0.0.4_384_46630 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations. Note: All versions of Lyra Mini and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability, Consumers can mitigate this vulnerability by disabling the remote access features from WAN.

Affected

2 ranges
VendorProductVersion rangeFixed in
asusgt-ac2900_firmware< 3.0.0.4.386.426433.0.0.4.386.42643
asuslyra_mini_firmware< 3.0.0.4.384.466303.0.0.4.384.46630

Detection & IOCsextracted from sources · hover to see the quote

urlGET /appGet.cgi?hook=get_cfg_clientlist() HTTP/1.1
cookieasus_token=\0Invalid; clickedItem_tab=0
uaasusrouter--
path/appGet.cgi
port53282
  • Exploit probe sends a GET request to /appGet.cgi with hook=get_cfg_clientlist() using a null-byte cookie value (asus_token=\0Invalid) and the custom User-Agent 'asusrouter--'. A 200 JSON response containing 'get_cfg_clientlist', 'alias', and 'model_name' confirms successful authentication bypass.
  • The authentication bypass relies on an attacker-supplied null byte ('\0') matching the device's default token value. Detection should look for HTTP requests to ASUS router admin endpoints carrying a null-byte or empty asus_token cookie value.
  • Post-exploitation indicator: attackers add their own SSH public key to the 'authorized_keys' file and enable SSH on non-standard TCP port 53282. Check for unexpected entries in authorized_keys and SSH listening on port 53282.
  • Post-exploitation stealth: attackers disable logging and Trend Micro AiProtection on compromised routers. Absence of expected logging activity or AiProtection being disabled may indicate compromise.
  • In the Vicious Trap / Sekoia-tracked campaign leveraging CVE-2021-32030, a malicious script was downloaded and executed to redirect network traffic from the compromised router to attacker-controlled third-party devices.
  • GreyNoise tags IPs actively exploiting CVE-2021-32030 as 'ASUS GT-AC2900 Auth Bypass Attempt' with malicious intent. Use GreyNoise tag filtering to identify scanning/exploitation sources.
  • ·All versions of Lyra Mini and earlier which are unsupported (End-of-Life/EOL) are also affected. CISA notes these products may be EoL/EoS and recommends discontinuing use if mitigations are unavailable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.