Published:2026/01/23 Last Updated:2026/01/23
JVN#67560152
Command injection vulnerability in ASUS routers
Overview
A command injection vulnerability exists in ASUS routers.
Products Affected
ASUS routers with the AiCloud feature running with the following firmware series.
- 3.0.0.4_382 series
- 3.0.0.4_386 series
- 3.0.0.4_388 series
- 3.0.0.6_102 series
Description
Multiple routers provided by ASUSTeK COMPUTER INC. contain command injection vulnerability in AiCloud.
- Command injection (CWE-77)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
- CVE-2025-2492
Impact
An arbitrary command could be executed on the affected products with the administrative privileges.
Solution
Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| ASUSTeK COMPUTER INC. | ASUS Security Advisory |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
NICTER Analysis Team of Cybersecurity Research Institute, National Institute of Information and Communications Technology reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
|
| JVN iPedia |
JVNDB-2026-000010 |