CVE-2024-0401 in ExpertWiFi
Summary
by MITRE • 05/20/2024
ASUS routers supporting custom OpenVPN profiles are vulnerable to a code execution vulnerability. An authenticated and remote attacker can execute arbitrary operating system commands by uploading a crafted OVPN profile. Known affected routers include ASUS ExpertWiFi, ASUS RT-AX55, ASUS RT-AX58U, ASUS RT-AC67U, ASUS RT-AC68R, ASUS RT-AC68U, ASUS RT-AX86, ASUS RT-AC86U, ASUS RT-AX88U, and ASUS RT-AX3000.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/22/2025
This vulnerability represents a critical remote code execution flaw in ASUS router firmware that specifically affects devices supporting custom OpenVPN profiles. The vulnerability stems from inadequate input validation during the processing of OVPN profile uploads, allowing authenticated attackers to inject malicious command sequences that execute within the router's operating system context. The flaw exists in the firmware handling logic where user-supplied profile data is not properly sanitized before being processed by the underlying command execution mechanisms. This vulnerability is particularly concerning because it combines both remote exploitability and authenticated access requirements, making it accessible to attackers who have obtained valid credentials for the router's administrative interface.
The technical implementation of this vulnerability aligns with CWE-77 and CWE-78 categories, representing command injection flaws where attacker-controlled data is directly incorporated into system commands without proper sanitization. The affected ASUS router models span multiple generations and product lines including ExpertWiFi series, RT-AX55, RT-AX58U, RT-AC67U, RT-AC68R, RT-AC68U, RT-AX86, RT-AC86U, RT-AX88U, and RT-AX3000, indicating a widespread impact across the vendor's product portfolio. Attackers can leverage this vulnerability through the OpenVPN profile upload functionality, which typically allows users to configure custom VPN connections. The attack vector operates through a carefully crafted OVPN profile that contains malicious command sequences designed to exploit the command injection vulnerability. This attack pattern maps to ATT&CK technique T1059.001 for command and scripting interpreter, specifically targeting the command shell execution capability within the router's operating system.
The operational impact of this vulnerability extends beyond simple remote code execution to encompass complete system compromise and potential lateral movement within network environments. Once exploited, attackers can gain full administrative control over the affected routers, potentially enabling them to modify network configurations, intercept traffic, establish persistent backdoors, or use the compromised devices as launching points for further attacks against other network resources. The vulnerability affects the core network infrastructure devices, making it particularly dangerous for enterprise and home network environments where these routers serve as primary gateways. The authenticated nature of the attack means that compromise requires either legitimate administrative credentials or successful credential theft, but once achieved, the attacker can execute arbitrary commands with the privileges of the router's administrative account. This vulnerability represents a significant risk to network security posture and could enable attackers to establish persistent access to network environments while potentially bypassing traditional security controls that rely on router integrity.
Mitigation strategies should prioritize immediate firmware updates from ASUS to address the identified vulnerability, as the vendor has likely released patches to resolve the command injection flaw in the OpenVPN profile handling code. Network administrators should also implement strict access controls and monitoring for administrative interfaces to reduce the risk of unauthorized access, while conducting thorough network segmentation to limit the potential impact of any successful exploitation. Additional protective measures include disabling unnecessary services such as OpenVPN profile upload functionality when not required, implementing network-based intrusion detection systems to monitor for suspicious command execution patterns, and maintaining comprehensive network monitoring to detect anomalous behavior that might indicate exploitation attempts. Organizations should also consider implementing multi-factor authentication for administrative access and regularly audit administrative account usage to identify potential unauthorized access attempts. The vulnerability highlights the importance of secure input validation in network infrastructure devices and demonstrates how seemingly benign configuration features can become attack vectors when proper security controls are not implemented.