ASUS has released firmware and software updates addressing multiple vulnerabilities across its consumer router lines and PC management software.
The first advisory focuses on router firmware vulnerabilities affecting several versions of the ASUSWRT firmware series, while a second involves a local privilege escalation flaw in the ASUS System Control Interface component of the MyASUS application used across the company’s consumer PC lineup.
Authentication bypass in AiCloud
The most severe router-side flaw, CVE-2025-59366, carries a CVSS v4.0 score of 9.2 (Critical). This vulnerability allows an attacker to bypass authentication in the AiCloud feature, a remote access and cloud sync service bundled with ASUS routers. The flaw stems from unintended interactions within the Samba service, which could permit unauthorized execution of sensitive functions without valid credentials.
Seven other vulnerabilities were also patched in the 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102 firmware branches. These include:
- CVE-2025-12003 (CVSS 8.2, High): Affects unauthenticated users and could lead to high-impact confidentiality and integrity breaches.
- CVE-2025-59370 and CVE-2025-59371 (CVSS 7.5, High): Require elevated privileges but could lead to data compromise or service misuse.
ASUS has provided updated firmware for supported router models as of October 2025. For users of end-of-life (EOL) devices no longer receiving updates, ASUS recommends disabling all services exposed to the internet, such as AiCloud, DDNS, VPN server, and remote management functions, and using strong, unique passwords for both router access and Wi-Fi networks.
ASUS is a major consumer electronics manufacturer, particularly well known for its gaming and enthusiast-grade networking gear, including the RT-AX and ROG Rapture series. These devices are widely used in home and small-office environments.
MyASUS flaw enables SYSTEM-Level escalation
CVE-2025-59373, rated 8.5 (High), affects MyASUS, the software pre-installed on ASUS laptops, desktops, mini-PCs, and all-in-one systems. The flaw resides in the ASUS System Control Interface component, where unprivileged users could exploit an insecure restore mechanism to plant files in protected directories. If successful, this could lead to arbitrary code execution with SYSTEM privileges, the highest level of access in Windows environments.
The issue has been fixed in ASUS System Control Interface 3.1.48.0 (x64) and 4.2.48.0 (ARM), available via Windows Update or direct download from ASUS’s support portal. Users can verify their current version of the interface through the MyASUS application under Settings → About.
Given the widespread distribution of MyASUS on ASUS-branded PCs, the vulnerability has a potentially broad impact.
Users are advised to update their router firmware and MyASUS software by sourcing installers from ASUS’s official download portal. For EoL routers, disable all internet-facing services, including AiCloud, remote WAN access, and port forwarding.
Leave a Reply