CVE-2020-36109

CRITICAL

ASUS RT-AX86U Firmware < 9.0.0.4_386 - Buffer Overflow in blocking_request.cgi

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-36109. PoCs published by sunn1day, tin-z.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2020-36109, a buffer overflow vulnerability in the ASUS RT-AX86U router's httpd module. The exploit demonstrates a Denial of Service (DoS) condition by crafting a malicious request to the blocking_request.cgi endpoint, though it notes that RCE is not achievable due to stack canary protections.

Description

ASUS RT-AX86U router firmware below version under 9.0.0.4_386 has a buffer overflow in the blocking_request.cgi function of the httpd module that can cause code execution when an attacker constructs malicious data.

Exploits (2)

nomisec WORKING POC 17 stars
by sunn1day · poc
https://github.com/sunn1day/CVE-2020-36109-POC

This repository contains a functional proof-of-concept exploit for CVE-2020-36109, a buffer overflow vulnerability in the ASUS RT-AX86U router's httpd module. The exploit demonstrates a Denial of Service (DoS) condition by crafting a malicious request to the blocking_request.cgi endpoint, though it notes that RCE is not achievable due to stack canary protections.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: ASUS RT-AX86U router firmware (versions below 9.0.0.4_386)
No auth needed
Prerequisites: Target must have the same time zone as the attacker · Referer header must contain the target's address · mac parameter must match the MULTIFILTER_MAC nvram value
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 2 stars
by tin-z · poc
https://github.com/tin-z/CVE-2020-36109-POC

The repository contains no exploit code or technical details, only a redirect to another GitHub repository. This is a common tactic used in suspicious repos to lure researchers into downloading potentially malicious content from external sources.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
Prerequisites: none
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.0421
EPSS Percentile 89.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-120
Status published
Products (1)
asus/rt-ax86u_firmware < 9.0.0.4_386
Published Feb 01, 2021
Tracked Since Feb 18, 2026