Taiwanese tech giant ASUS has issued an urgent security advisory after the discovery of multiple severe vulnerabilities in several models of its routers.
An emergency firmware rollout is currently underway to address nine security flaws, with the most significant of these including CVE-2022-26376 and CVE-2018-1160.
The vulnerabilities identified include a critical memory corruption flaw in the Asuswrt firmware for Asus routers and an out-of-bounds write Netatalk weakness. If exploited, either vulnerability could let threat actors gain arbitrary code execution privileges on vulnerable devices. Attackers could also weaponize CVE-2022-26376 to trigger denial-of-service attacks.
The Netatalk weakness is particularly concerning, as the bug is almost five years old and has gone unaddressed until now. ASUS urges customers with affected routers to apply the patches immediately, cautioning that failure to do so could leave them vulnerable to intrusion.
"Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions," the company warned in its security advisory. "These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger."
The following routers are vulnerable and should be updated immediately:
Users can apply the firmware patches through various channels, including the official ASUS support website, product-specific pages, or links provided in the security advisory.
In addition to installing the new firmware, ASUS encourages its customers to strengthen their security by configuring different passwords for their routers and wireless networks. Users should opt for strong, unique passwords that use a combination of uppercase and lowercase characters, symbols and numbers and avoid password recycling (using the same password for multiple accounts, devices, or services).
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsDecember 24, 2024
December 19, 2024
November 14, 2024