ASUS routers receive patches for critical vulnerabilities affecting more than a dozen product lines

ASUS logo displayed at COMPUTEX 2023 in Taipei
(Image credit: Getty Images)

ASUS has announced a raft of firmware updates to fix critical vulnerabilities found in a number of router devices. 

The firm revealed that nine security vulnerabilities were discovered in networking appliances - two of which were rated as ‘critical’ with six designated as ‘high’ risk. 

Tracked as CVE-2018-1160 and CVE-2022-26376, the two critical vulnerabilities were given a 9.8 severity rating out of a possible 10, the company said. 

Analysis shows that the former of these pertains to an out of bounds write bug found in Netatalk prior to version 3.1.12. This near-five-year-old vulnerability could enable an unauthorised party to achieve arbitrary code execution. 

Meanwhile, CVE-2022-26376 is a memory corruption vulnerability found in Asuswrt and Asuswrt-Merlin New Gen firmware. This flaw could allow an attacker to trigger this vulnerability by leveraging a “specially-crafted HTTP” request, which would cause memory corruption. 

Nearly 20 router models have been affected by disclosed vulnerabilities, ASUS revealed. 

These include:

  • GT6
  • GT-AXE16000
  • GT-AX11000 PRO
  • GT-AXE11000
  • GT-AX6000
  • GT-AX11000
  • GS-AX5400
  • GS-AX3000
  • XT9
  • XT8
  • XT8 V2
  • RT-AX86U PRO
  • RT-AX86U
  • RT-AX86S
  • RT-AX82U
  • RT-AX58U
  • RT-AX3000
  • TUF-AX6000
  • TUF-AX5400.

In its security advisory on 19 June, ASUS urged customers to patch affected routers as soon as possible to avoid risk of exposure.  

The firm warned that customers choosing not to install new firmware updates should disable services accessible from via WAN to “avoid potential unwanted intrusions”. 

“These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger,” ASUS said. 

The company also recommended frequent auditing of equipment to ensure firmware is up to date and to mitigate risk.

“We strongly encourage you to periodically audit both your equipment and your security procedures, as this will ensure that you will be better protected,” the firm said.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at, or on Twitter and LinkedIn.