CriticalPublic exploit

Authentication Bypass in AsusWRT POST Request Handling

IdentifiersCVE-2018-5999CWE-306

CVE-2018-5999 affects AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of HTTP POST requests continues even when authentication fails. This logic flaw allows unauthenticated requests to reach functionality intended to be protected by authentication. Supporting reporting describes the issue as enabling unauthorized configuration changes on affected ASUS routers, including abuse of the internal infosvr-related functionality by setting ateCommand_flag=1. Public reporting also states that successful exploitation can lead to remote code execution as root on affected devices.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

An unauthenticated remote attacker can bypass authentication controls and modify router configuration without valid credentials. Reported impacts include changing administrative settings and passwords, exposing internal management functionality, and potentially achieving remote code execution with root privileges on the router. In practice, this enables full device compromise and subsequent use of the router for botnet enrollment, denial-of-service activity, persistence on the network edge, and further abuse of network traffic traversing the device.

Mitigation

If you can’t patch tonight, do this now.

Restrict or disable remote administrative access from untrusted networks, especially WAN-side HTTP/HTTPS management. Limit management access to trusted internal hosts or a VPN. If patching is not immediately possible, remove affected routers from direct internet exposure, monitor for unauthorized configuration changes such as altered admin credentials or suspicious settings, and factory-reset/rebuild compromised devices before reintroducing them to service. Because exploitation has been reported in the wild, unsupported devices should be prioritized for replacement.

Remediation

Patch, then assume compromise.

Upgrade affected ASUS routers to AsusWRT version 3.0.0.4.384_10007 or later, as the issue affects versions before that release. Replace unsupported or end-of-life router models that cannot receive the fixed firmware. Verify that internet-exposed management interfaces are disabled unless strictly required, and confirm that administrative credentials and configuration have not been altered on previously exposed devices.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

ASUSAsuswrtoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

scworldNews

May 26, 2026

RondoDox botnet exploits old ASUS router vulnerability | brief | SC Media

A critical unauthenticated configuration update vulnerability in older ASUS routers that allows attackers to change router settings without authentication.

govinfosecurityNews

May 22, 2026

RondoDox Botnet Exploits 2018 Flaw in Asus Routers

A critical unauthenticated remote code execution vulnerability in Asus routers that allows an attacker to achieve root-level code execution.

bank info securityNews

May 22, 2026

RondoDox Botnet Exploits 2018 Flaw in Asus Routers

A critical unauthenticated remote code execution vulnerability in Asus routers that allows an attacker to achieve root-level code execution.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware5

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2018-5999

NVD

nvd.nist.gov/vuln/detail/CVE-2018-5999

MITRE CWE · CWE-306

cwe.mitre.org

Third Party Advisory

blogs.securiteam.com/index.php/archives/3589

Third Party Advisory

github.com/pedrib/PoC/blob/master/advisories/asuswrt-lan-rce.txt

Third Party Advisory

raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb

Third Party Advisory

exploit-db.com/exploits/43881

exploit-db.com

exploit-db.com/exploits/44176