Description
A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1511
Scores
CVSS v3
9.8
EPSS
0.0070
EPSS Percentile
72.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-787
Status
published
Products (19)
asus/asuswrt
< 3.0.0.4.386_48706
asus/et12_firmware
< 3.0.0.4.386_48823
asus/gt-ax11000_firmware
< 3.0.0.4.386_49559
asus/gt-ax11000_pro_firmware
< 3.0.0.4.386_48996
asus/gt-ax6000_firmware
< 3.0.0.4.386_48823
asus/gt-axe16000_firmware
< 3.0.0.4.386_48786
asus/rt-ax55_firmware
< 3.0.0.4.386_49559
asus/rt-ax56u_firmware
< 3.0.0.4.386_49559
asus/rt-ax58u_firmware
< 3.0.0.4.386_48908
asus/rt-ax68u_firmware
< 3.0.0.4.386_49479
... and 9 more
Published
Aug 05, 2022
Tracked Since
Feb 18, 2026