CVE-2023-39780 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2023-09-11

Added to CISA KEV: 2025-06-02 630 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update ASUS RT-AX55 firmware to latest version addressing CVE-2023-39780
Disable remote management interface or restrict access to trusted IP ranges only
Monitor router logs for suspicious authentication attempts and unusual command execution
Change default administrative credentials if not already done
Consider network segmentation to isolate management interfaces

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2023-39780 is a high-severity OS command injection vulnerability affecting ASUS RT-AX55 routers. Below are the details regarding its nature, exploitation, and impact.

Vulnerability Overview

Description: The vulnerability allows an authenticated attacker to perform OS command injection via the `qos_bw_rulelist` parameter in the `/start_apply.htm` endpoint ^[2].
Impact: Successful exploitation grants the attacker the ability to execute arbitrary system commands on the affected device, leading to a full compromise of the router's confidentiality, integrity, and availability ^[3].
CVSS Score: It is classified as a high-severity vulnerability with a CVSS score of 8.8 ^[3].

Exploitation and Threat Actor Usage

Active Exploitation: The vulnerability has been actively exploited in the wild. Threat actors have used it in stealthy campaigns to hijack routers ^[1].
Attack Method: Attackers leverage the vulnerability to enable SSH access on a custom port (TCP/53282) and insert an attacker-controlled public key for persistent remote access ^[1].
Persistence: A critical aspect of this campaign is that the backdoor is stored in non-volatile memory (NVRAM) rather than on the disk. Consequently, the backdoor persists even after firmware updates or device reboots, meaning simply patching the firmware does not automatically remove the attacker's unauthorized SSH access ^[1].
Requirements: Exploitation requires the attacker to be authenticated to the device ^[2].

Affected Versions and Mitigation

Affected Product: ASUS RT-AX55 firmware version `3.0.0.4.386.51598` ^[2].
Patch Status: ASUS has released firmware updates to address this vulnerability ^[1].
Important Mitigation Note: Because the attackers modify SSH configurations and store them in NVRAM, applying the firmware patch alone is insufficient to remove the compromise. Users who were affected must also manually remove the unauthorized SSH configurations or perform a factory reset to ensure the backdoor is cleared ^[1].

Sources

Thousands of ASUS Routers Hijacked in Stealthy Backdoor Campaign
In its report, GreyNoise noted that while ASUS patched CVE-2023-39780 in a recent firmware update, the attacker’s SSH configuration changes cannot be removed by the update. ... Attackers exploit CVE-2023-39780, a high-severity command injection flaw affecting ASUS RT-AX55, to execute system commands…
CVE-2023-39780 Detail - NVD
On ASUS RT-AX55 3.0.0.4.386.51598 devices, authenticated attackers can perform OS command injection via the /start_apply.htm qos_bw_rulelist parameter. ... CVE-2023-39780 Detail Description On ASUS RT-AX55 3.0.0.4.386.51598 devices, authenticated attackers can perform OS command injection via the /s…
CVE-2023-39780 | High Vulnerability in ASUS RT-AX55 Routers
The CVSS score is 8.8, reflecting high severity due to the potential impact on confidentiality, integrity, and availability. The affected product is the ASUS RT-AX55 firmware version 3.0.0.4.386.51598, which has been classified under CWE-78. Organizations must ensure that they have the latest firmwa…