CVE-2021-32030
published 2021-05-06CVE-2021-32030: The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 and Lyra Mini before 3.0.0.4_384_46630 allows authentication bypass when…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-06-23
Exploited in the wild
EPSS
99.35%
99.9th percentile
The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 and Lyra Mini before 3.0.0.4_384_46630 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations. Note: All versions of Lyra Mini and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability, Consumers can mitigate this vulnerability by disabling the remote access features from WAN.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asus | gt-ac2900_firmware | < 3.0.0.4.386.42643 | 3.0.0.4.386.42643 |
| asus | lyra_mini_firmware | < 3.0.0.4.384.46630 | 3.0.0.4.384.46630 |
Detection & IOCsextracted from sources · hover to see the quote
urlGET /appGet.cgi?hook=get_cfg_clientlist() HTTP/1.1
cookieasus_token=\0Invalid; clickedItem_tab=0
uaasusrouter--
path/appGet.cgi
- →Exploit probe sends a GET request to /appGet.cgi with hook=get_cfg_clientlist() using a null-byte cookie value (asus_token=\0Invalid) and the custom User-Agent 'asusrouter--'. A 200 JSON response containing 'get_cfg_clientlist', 'alias', and 'model_name' confirms successful authentication bypass.
- →The authentication bypass relies on an attacker-supplied null byte ('\0') matching the device's default token value. Detection should look for HTTP requests to ASUS router admin endpoints carrying a null-byte or empty asus_token cookie value. ↗
- →Post-exploitation indicator: attackers add their own SSH public key to the 'authorized_keys' file and enable SSH on non-standard TCP port 53282. Check for unexpected entries in authorized_keys and SSH listening on port 53282. ↗
- →Post-exploitation stealth: attackers disable logging and Trend Micro AiProtection on compromised routers. Absence of expected logging activity or AiProtection being disabled may indicate compromise. ↗
- →In the Vicious Trap / Sekoia-tracked campaign leveraging CVE-2021-32030, a malicious script was downloaded and executed to redirect network traffic from the compromised router to attacker-controlled third-party devices. ↗
- →GreyNoise tags IPs actively exploiting CVE-2021-32030 as 'ASUS GT-AC2900 Auth Bypass Attempt' with malicious intent. Use GreyNoise tag filtering to identify scanning/exploitation sources. ↗
- ·All versions of Lyra Mini and earlier which are unsupported (End-of-Life/EOL) are also affected. CISA notes these products may be EoL/EoS and recommends discontinuing use if mitigations are unavailable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mmm5-f82c-58j8: The administrator application on ASUS GT-AC2900 devices before 3
ghsa_unreviewed·2022-05-24
CVE-2021-32030 [CRITICAL] CWE-287 GHSA-mmm5-f82c-58j8: The administrator application on ASUS GT-AC2900 devices before 3
The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations.
VulnCheck
ASUS Routers Improper Authentication Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-32030 [CRITICAL] CWE-287 ASUS Routers Improper Authentication Vulnerability
ASUS Routers Improper Authentication Vulnerability
ASUS Lyra Mini and ASUS GT-AC2900 devices contain an improper authentication vulnerability that allows an attacker to gain unauthorized access to the administrative interface. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Affected: ASUS Routers
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-16&host_type=src&vulnerability=cve-2021-32030; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=202
CISA
ASUS Routers Improper Authentication Vulnerability
cisa·2025-06-02·CVSS 9.8
CVE-2021-32030 [CRITICAL] CWE-287 ASUS Routers Improper Authentication Vulnerability
Vulnerability: ASUS Routers Improper Authentication Vulnerability
Affected: ASUS Routers
ASUS Lyra Mini and ASUS GT-AC2900 devices contain an improper authentication vulnerability that allows an attacker to gain unauthorized access to the administrative interface. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.asus.com/us/supportonly/lyra%20mini/helpdesk_bios/ ; https://www.asus.com/us/supportonly/rog%20rapture%20gt-ac2900/helpdesk_bios/; https://nvd.nist.gov/vuln/detail/CVE-2021-32030
Remediation Due Date: 2025
Suricata
ET WEB_SPECIFIC_APPS ASUS GT-AC2900 Authentication Bypass via Null Character in asus_token HTTP Cookie (CVE-2021-32030)
suricata·2025-09-25·CVSS 9.8
CVE-2021-32030 [CRITICAL] ET WEB_SPECIFIC_APPS ASUS GT-AC2900 Authentication Bypass via Null Character in asus_token HTTP Cookie (CVE-2021-32030)
ET WEB_SPECIFIC_APPS ASUS GT-AC2900 Authentication Bypass via Null Character in asus_token HTTP Cookie (CVE-2021-32030)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ASUS GT-AC2900 Authentication Bypass via Null Character in asus_token HTTP Cookie (CVE-2021-32030)"; flow:established,to_server; http.uri; content:"/appGet.cgi|3f|"; startswith; content:"hook|3d|get_cfg_clientlist|28 29|"; fast_pattern; http.cookie; content:"asus_token|3d|"; pcre:"/^(?:\x00|\x2500|\x5c0)/R"; reference:url,www.atredis.com/blog/2021/4/30/asus-authentication-bypass; reference:cve,2021-32030; classtype:web-application-attack; sid:2064924; rev:1; metadata:affected_product Asus, created_at 2025_09_25, cve CVE_2021_32030, deployment Perimeter, deployment Internal, confidence High, signature_se
Nuclei
ASUS GT-AC2900 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2021-32030 [CRITICAL] ASUS GT-AC2900 - Authentication Bypass
ASUS GT-AC2900 - Authentication Bypass
ASUS GT-AC2900 devices before 3.0.0.4.386.42643 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator application. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '