⚠ Actively exploited
Added to CISA KEV on 2025-06-02. Federal agencies required to patch by 2025-06-23. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..
CVE-2023-39780 — OS Command Injection in Rt-ax55
Severity
8.8HIGHNVD
EPSS
42.7%
top 2.52%
CISA KEV
KEV
Added 2025-06-02
Due 2025-06-23
Exploit
No known exploits
Affected products
Timeline
PublishedSep 11
KEV addedJun 2
KEV dueJun 23
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Description
On ASUS RT-AX55 3.0.0.4.386.51598 devices, authenticated attackers can perform OS command injection via the /start_apply.htm qos_bw_rulelist parameter. NOTE: for the similar "token-generated module" issue, see CVE-2023-41345; for the similar "token-refresh module" issue, see CVE-2023-41346; for the similar "check token module" issue, see CVE-2023-41347; and for the similar "code-authentication module" issue, see CVE-2023-41348.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages2 packages
🔴Vulnerability Details
3🔍Detection Rules
1Suricata▶
ET WEB_SPECIFIC_APPS ASUS AiProtection_HomeProtection.asp oauth_google_auth_code Parameter Command Injection Attempt (CVE-2023-39780)↗2025-05-28