Cyber Resilience

CVE-2023-39780

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 11 September 2023

Published
11 September 2023
Modified
31 October 2025
KEV Added
02 June 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4709 97.8th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-39780 is a high-severity OS Command Injection (CWE-78) vulnerability in Asus Rt-Ax55 Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-39780 affects ASUS RT-AX55 routers running firmware 3.0.0.4.386.51598. The flaw is an OS command injection vulnerability (CWE-78) in the web interface, specifically triggered when an authenticated user submits crafted input to the qos_bw_rulelist parameter of the /start_apply.htm endpoint. It carries a CVSS 3.1 base score of 8.8.

An attacker who has already obtained valid administrative credentials can send a malicious HTTP request over the network to execute arbitrary operating-system commands on the device. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability of the router, enabling actions such as configuration changes, traffic interception, or persistence mechanisms.

The supplied references consist of detailed technical write-ups hosted on GitHub; none of them describe vendor patches, firmware updates, or official mitigation steps. The EPSS score has remained flat at its observed peak of 0.47 with no indicated rise after disclosure.

EU & UK References

Vulnerability details

On ASUS RT-AX55 3.0.0.4.386.51598 devices, authenticated attackers can perform OS command injection via the /start_apply.htm qos_bw_rulelist parameter. NOTE: for the similar "token-generated module" issue, see CVE-2023-41345; for the similar "token-refresh module" issue, see CVE-2023-41346; for the similar "check token module"…

more

issue, see CVE-2023-41347; and for the similar "code-authentication module" issue, see CVE-2023-41348.

CWE(s)
KEV Date Added
02 June 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

asus
rt-ax55 firmware
3.0.0.4.386.51598

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the qos_bw_rulelist parameter on /start_apply.htm to block OS command injection (CWE-78).

prevent

Limits privileges of the web-management process so that successful injection cannot yield full device control.

prevent

Mandates timely patching of the firmware flaw that permits authenticated command injection via the QoS endpoint.

References