CVE-2023-39780
Published: 11 September 2023
Summary
CVE-2023-39780 is a high-severity OS Command Injection (CWE-78) vulnerability in Asus Rt-Ax55 Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-39780 affects ASUS RT-AX55 routers running firmware 3.0.0.4.386.51598. The flaw is an OS command injection vulnerability (CWE-78) in the web interface, specifically triggered when an authenticated user submits crafted input to the qos_bw_rulelist parameter of the /start_apply.htm endpoint. It carries a CVSS 3.1 base score of 8.8.
An attacker who has already obtained valid administrative credentials can send a malicious HTTP request over the network to execute arbitrary operating-system commands on the device. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability of the router, enabling actions such as configuration changes, traffic interception, or persistence mechanisms.
The supplied references consist of detailed technical write-ups hosted on GitHub; none of them describe vendor patches, firmware updates, or official mitigation steps. The EPSS score has remained flat at its observed peak of 0.47 with no indicated rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-43480
Vulnerability details
On ASUS RT-AX55 3.0.0.4.386.51598 devices, authenticated attackers can perform OS command injection via the /start_apply.htm qos_bw_rulelist parameter. NOTE: for the similar "token-generated module" issue, see CVE-2023-41345; for the similar "token-refresh module" issue, see CVE-2023-41346; for the similar "check token module"…
more
issue, see CVE-2023-41347; and for the similar "code-authentication module" issue, see CVE-2023-41348.
- CWE(s)
- KEV Date Added
- 02 June 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the qos_bw_rulelist parameter on /start_apply.htm to block OS command injection (CWE-78).
Limits privileges of the web-management process so that successful injection cannot yield full device control.
Mandates timely patching of the firmware flaw that permits authenticated command injection via the QoS endpoint.