Nightwatch Cybersecurity experts found a CSRF vulnerability (CVE-2017-5891) in 30 Asus RT device models. If the user has left the factory credentials (admin: admin), or the attacker knows the administrator password, he can hack the device, forcing the victim to go to a malicious web page.

The problem affects the RT-AC and RT-N models with the firmware version later than 3. 380. 7378. Successfully logged on to the device, an attacker can change the settings of the router or intercept the DNS. However, as the researchers noted, it was not every time to exploit the vulnerability.

Experts also discovered errors (CVE-2017-5891) related to JSONP (an addition to the basic JSON format).

Their operation allows you to uncover sensitive information, such as a network map or data about the router.

CSRF vulnerability was fixed with the release of March updates. However, the manufacturer did not find it necessary to correct CVE-2017-5891. The new version of the firmware also fixed the XSS vulnerability in the HTTP daemon (CVE-2017-6547), the vulnerability in the HTTP daemon, which allows to intercept the session (CVE-2017-6549), as well as the vulnerability in the networkmap command, which causes buffer overflow and remotely Execute the code.