CVE-2021-32030 in GT-AC2900
Summary
by MITRE • 05/07/2021
The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 and Lyra Mini before 3.0.0.4_384_46630 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations. Note: All versions of Lyra Mini and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability, Consumers can mitigate this vulnerability by disabling the remote access features from WAN.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/10/2025
The vulnerability identified as CVE-2021-32030 represents a critical authentication bypass flaw affecting ASUS GT-AC2900 routers and Lyra Mini devices running firmware versions prior to 3.0.0.4.386.42643 and 3.0.0.4_384_46630 respectively. This vulnerability resides in the administrative application layer of these network devices, specifically within the router/httpd/httpd.c file's handle_request function and the web_hook.o module's auth_check function. The flaw stems from improper input validation and authentication handling mechanisms that fail to adequately distinguish between legitimate and malicious user inputs.
The technical implementation of this vulnerability exploits a specific condition where an attacker can supply a null byte character '\x00' as input to the authentication system. When this null byte is processed by the vulnerable authentication check logic, it inadvertently matches the device's default null byte value stored in memory, effectively bypassing the authentication mechanism entirely. This occurs because the authentication validation routine does not properly sanitize or validate input parameters before comparing them against stored credentials or default values. The vulnerability essentially creates a scenario where any unauthenticated remote user can gain administrative access to the device's management interface without proper credentials.
The operational impact of this vulnerability is severe and far-reaching, as it allows remote attackers to completely compromise the affected network devices. Once authenticated, an attacker gains full administrative privileges to modify router configurations, install malicious firmware, redirect traffic, or establish persistent backdoors. This authentication bypass enables attackers to perform actions such as changing administrator passwords, modifying firewall rules, accessing sensitive network information, and potentially using the compromised device as a pivot point for attacks on other networked systems. The vulnerability is particularly dangerous because it operates entirely over the network without requiring physical access or local credentials, making it an attractive target for automated exploitation campaigns.
This vulnerability aligns with CWE-287, which addresses improper authentication issues, and maps to several ATT&CK techniques including T1078 for valid accounts and T1566 for credential harvesting. The flaw demonstrates poor input validation practices and inadequate security controls in the authentication flow, representing a fundamental failure in secure coding practices. Organizations should implement immediate mitigations including firmware updates to the latest supported versions, disabling remote management features through WAN interfaces, and implementing network segmentation to limit exposure. Additionally, monitoring network traffic for suspicious authentication attempts and implementing intrusion detection systems can help identify exploitation attempts. The recommended long-term solution involves comprehensive security testing of authentication mechanisms, proper input sanitization, and adherence to secure coding standards to prevent similar vulnerabilities in future implementations.