ASUS ExpertWiFi EBM63, EBM68, and RT-AX57 Go firmwares before the 12-04-2024 patch contain a command injection vulnerability in splash_page_SDN.cgi function. If exploited, this vulnerability allows an authenticated user to abuse a ASUS Wifi service, resulting in arbitrary code execution.
Prerequisite
The vulnerability is an authenticated RCE, users of this script are required to first retrieve the login token (value of asus_token from the cookie header) of the target. |