CVE-2018-5721

2018-01-1706:00:00

mitre

www.cve.org

8.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.8%

JSON

Stack-based buffer overflow in the ej_update_variables function in router/httpd/web.c on ASUS routers (when using software from https://github.com/RMerl/asuswrt-merlin) allows web authenticated attackers to execute code via a request that updates a setting. In ej_update_variables, the length of the variable action_script is not checked, as long as it includes a “_wan_if” substring.

References

www.w0lfzhang.com/2018/01/17/ASUS-router-stack-overflow-in-http-server/