CVE-2023-39780

Known Exploited Public Exploit

Description

On ASUS RT-AX55 3.0.0.4.386.51598 devices, authenticated attackers can perform OS command injection via the /start_apply.htm qos_bw_rulelist parameter. NOTE: for the similar "token-generated module" issue, see CVE-2023-41345; for the similar "token-refresh module" issue, see CVE-2023-41346; for the similar "check token module" issue, see CVE-2023-41347; and for the similar "code-authentication module" issue, see CVE-2023-41348.

Category

8.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 66.75% Top 5%
KEV Since 
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory greynoise.io
Affected: ASUS RT-AX55
Published at:
Updated at:

References

Link Tags
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/1/EN.md exploit third party advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/2/EN.md exploit third party advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/3/EN.md exploit third party advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/4/EN.md exploit third party advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/5/EN.md exploit third party advisory
https://github.com/D2y6p/CVE/blob/main/asus/CVE-2023-39780/6/EN.md exploit third party advisory
https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers exploit third party advisory

Frequently Asked Questions

What is the severity of CVE-2023-39780?
CVE-2023-39780 has been scored as a high severity vulnerability.
How to fix CVE-2023-39780?
To fix CVE-2023-39780, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-39780 being actively exploited in the wild?
It is confirmed that CVE-2023-39780 is actively exploited. Be extra cautious if you are using vulnerable components. According to its EPSS score, there is a ~67% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-39780?
CVE-2023-39780 affects ASUS RT-AX55.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.