CVE-2016-6558

Name of the Vulnerable Software and Affected Versions ASUS RP-AC52 access point firmware version 1.0.1.1s and possibly earlier

Description A command injection issue exists in the apply.cgi web interface, specifically in the action script parameter. This parameter is used to specify a script for execution when the action mode parameter does not contain a valid state. If the input provided by action script does not match one of the hardcoded options, it will be executed as an argument of either a system() or an eval() call, allowing arbitrary commands to be executed.

Recommendations For firmware version 1.0.1.1s and possibly earlier, consider restricting access to the apply.cgi web interface until a patch is available. As a temporary workaround, avoid using the action script parameter in the affected web interface to minimize the risk of exploitation.