CVE-2021-32030

Name of the Vulnerable Software and Affected Versions ASUS GT-AC2900 versions prior to 3.0.0.4.386.42643 Lyra Mini versions prior to 3.0.0.4 384 46630

Description The administrator application on ASUS GT-AC2900 and Lyra Mini devices allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This issue relates to the handle request function in router/httpd/httpd.c and auth check in web hook.o. An attacker-supplied value of 0 matches the device's default value of 0 in some situations. There have been attempts to exploit this issue, with 379,868 attempts reported as failed due to a tiny error.

Recommendations For ASUS GT-AC2900 versions prior to 3.0.0.4.386.42643, update to version 3.0.0.4.386.42643 or later. For Lyra Mini versions prior to 3.0.0.4 384 46630, update to version 3.0.0.4 384 46630 or later. As a temporary workaround, consider disabling the remote access features from WAN to minimize the risk of exploitation.