CVE-2018-6000

CRITICAL EXPLOITED

AsusWRT <3.0.0.4.384_10007 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-6000 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Metasploit, Pedro Ribeiro, Pedro Ribeiro <[email protected]>, including a Metasploit module exploits/linux/http/asuswrt_lan_rce.

AI-analyzed exploit summary This Metasploit module exploits CVE-2018-6000 in AsusWRT routers by setting the `ateCommand_flag` via a POST request to `/vpnupload.cgi` and then sending a UDP packet to port 9999 to execute arbitrary commands as root. It starts a telnetd service on a random port for interactive shell access.

Description

An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotehardware
https://www.exploit-db.com/exploits/44176

This Metasploit module exploits CVE-2018-6000 in AsusWRT routers by setting the `ateCommand_flag` via a POST request to `/vpnupload.cgi` and then sending a UDP packet to port 9999 to execute arbitrary commands as root. It starts a telnetd service on a random port for interactive shell access.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: AsusWRT < v3.0.0.4.384.10007
No auth needed
Prerequisites: Network access to the target router's LAN interface · UDP port 9999 accessible · HTTP port 80 accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP
by Pedro Ribeiro · textremotehardware
https://www.exploit-db.com/exploits/43881

This is a detailed writeup describing two vulnerabilities (CVE-2018-5999 and CVE-2018-6000) in AsusWRT routers, including an authentication bypass and unauthenticated NVRAM configuration manipulation leading to remote code execution. The document explains the technical details, exploitation steps, and references related tools like a Metasploit module.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: AsusWRT (versions before v3.0.0.4.384.10007)
No auth needed
Prerequisites: Network access to the LAN · Vulnerable AsusWRT firmware version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Pedro Ribeiro <[email protected]> · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/asuswrt_lan_rce.rb

This Metasploit module exploits an unauthenticated RCE vulnerability in AsusWRT by setting a NVRAM variable via HTTP POST and sending a crafted UDP packet to execute arbitrary commands as root. It spawns a telnetd service for interactive shell access.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: AsusWRT < v3.0.0.4.384.10007
No auth needed
Prerequisites: Network access to the AsusWRT HTTP portal (port 80) and UDP port 9999
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44176/
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://blogs.securiteam.com/index.php/archives/3589
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43881/

Scores

CVSS v3 9.8
EPSS 0.8973
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2026-03-11
CWE
CWE-862
Status published
Products (1)
asus/asuswrt < 3.0.0.4.384_10007
Published Jan 22, 2018
Tracked Since Feb 18, 2026