CVE-2022-25597
HIGHASUS RT-AC86U Firmware - Unauthenticated OS Command Injection via LPD Service
Title source: llmDescription
ASUS RT-AC86U’s LPD service has insufficient filtering for special characters in the user request, which allows an unauthenticated LAN attacker to perform command injection attack, execute arbitrary commands and disrupt or terminate service.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://www.twcert.org.tw/tw/cp-132-5794-09c33-1.html
Scores
CVSS v3
8.8
EPSS
0.0022
EPSS Percentile
44.1%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (1)
asus/rt-ac86u_firmware
3.0.0.4.386.45956
Published
Apr 07, 2022
Tracked Since
Feb 18, 2026