ASUS, the Taiwanese company, has addressed multiple security vulnerabilities in its router models by releasing firmware updates. Nine security holes, two of which are rated as Critical and six as High severity, are to be fixed by the upgrades. There is one vulnerability that is currently awaiting analysis.

The impacted models comprise GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400. 

The most prominent updates are CVE-2018-1160 and CVE-2022-26376, both of which received a score for severity of 9.8 out of 10 according to the CVSS scale.

CVE-2018-1160 describes an inaccessible write bug in Netatalk versions previous to 3.1.12. This bug, existing for nearly five years, could activate an unauthenticated, remote attacker to execute arbitrary code. CVE-2022-26376 is a memory corruption vulnerability found in the Asuswrt firmware. It can be exploited through a specially-crafted HTTP request.

The remaining seven flaws are as follows:

CVE-2022-35401 (CVSS rating: 8.1): A login bypass flaw enables an intruder to send nefarious inquiries via HTTP to the target system and get complete administrator rights.

Using unique network packets, details exposure weakness CVE-2022-38105 (CVSS rating: 7.5) allows access to private data.

CVE-2022-38393, with a CVSS rating of 7.5 a denial-of-service (DoS) flaw that can be exploited via a network packet that has been customized.

Utilizing a previous version of the libusrsctp library could expose susceptible systems to more attacks, according to CVE-2022-46871 (CVSS score: 8.8).

A command-and-control input weakness known as CVE-2023-28702 (CVSS rating: 8.8) enables local hackers to execute unauthorized system instructions, cause disruptions, or stop services.

A stack-based buffering issue known as CVE-2023-28703 (CVSS score: 7.2) enables an attacker with administrative rights to run unauthorized system instructions, cause system disruption, or stop functions. 

CVE-2023-31195 (CVSS 0.0, no assessment): a hole that allows an attacker-in-the-middle (AitM) to take over a user’s session.

ASUS highly urges customers to immediately apply the most recent updates to reduce security concerns. Users are advised to discontinue services from the WAN side to avoid any possible malicious activity.

The company also suggests that customers periodically conduct equipment audits and establish separate passwords for the wireless network and router administration page.