CVE-2016-6558
high-risk
Published 2018-07-13
A command injection vulnerability exists in apply.cgi on the ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, web interface specifically in the action_script parameter. The action_script parameter specifies a script to be executed if the action_mode parameter does not contain a valid state. If the input provided by action_script does not match one of the hard coded options, then it will be executed as the argument of either a system() or an eval() call allowing arbitrary commands to be executed.
Do I need to act?
~
4.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (7)
Rp-Ac52 Firmware
Ea-N66 Firmware
Rp-N12 Firmware
Rp-N14 Firmware
Rp-N53 Firmware
Rp-Ac56 Firmware
Wmp-N12 Firmware
Affected Vendors
References (4)
Third Party Advisory
https://www.kb.cert.org/vuls/id/763843
Third Party Advisory
https://www.securityfocus.com/bid/93596
Third Party Advisory
https://www.kb.cert.org/vuls/id/763843
Third Party Advisory
https://www.securityfocus.com/bid/93596
53
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
7/34 · Low
Exposure
14/34 · Moderate