CVE-2018-6000

CRITICAL EXPLOITED

AsusWRT <3.0.0.4.384_10007 - Privilege Escalation

Title source: llm

Description

An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotehardware

https://www.exploit-db.com/exploits/44176

View Code ZIP pw:eip

exploitdb WRITEUP

by Pedro Ribeiro · textremotehardware

https://www.exploit-db.com/exploits/43881

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Pedro Ribeiro <[email protected]> · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/asuswrt_lan_rce.rb

View Code ZIP pw:eip

References (5)

[Exploit, Technical Description, Third Party Advisory] https://blogs.securiteam.com/index.php/archives/3589

[Exploit, Third Party Advisory] https://github.com/pedrib/PoC/blob/master/advisories/asuswrt-lan-rce.txt

[Exploit, Third Party Advisory] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/43881/

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/44176/

Scores

CVSS v3 9.8

EPSS 0.9065

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2026-03-11

CWE

CWE-862

Status published

Products (1)

asus/asuswrt < 3.0.0.4.384_10007

Published Jan 22, 2018

Tracked Since Feb 18, 2026