CVE-2020-15498

Name of the Vulnerable Software and Affected Versions ASUS RT-AC1900P versions prior to 3.0.0.4.385 20253

Description An issue was discovered where the router accepts an arbitrary server certificate for a firmware update. This is due to the --no-check-certificate option being passed to the wget tool used to download firmware update files.

Recommendations For versions prior to 3.0.0.4.385 20253, update to version 3.0.0.4.385 20253 or later to resolve the issue. As a temporary workaround, consider disabling the firmware update feature until a patch is available. Restrict access to the firmware update module to minimize the risk of exploitation. Avoid using the wget tool with the --no-check-certificate option in the affected API endpoint until the issue is resolved.