Cyber Resilience

CVE-2024-0401

HighPublic PoCRCE

Published: 20 May 2024

Published
20 May 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0312 87.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-0401 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 12.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

ASUS routers supporting custom OpenVPN profiles contain an OS command injection vulnerability tracked as CVE-2024-0401 and CWE-78. Affected devices include the ExpertWiFi series along with RT-AX55, RT-AX58U, RT-AC67U, RT-AC68R, RT-AC68U, RT-AX86, RT-AC86U, RT-AX88U, and RT-AX3000. The flaw carries a CVSS 3.1 score of 7.2 and permits execution of arbitrary operating-system commands when a crafted OVPN profile is processed.

An authenticated remote attacker with administrative privileges can exploit the issue over the network by uploading a malicious profile, achieving full command execution on the router without user interaction. The attack requires high privileges and targets the OpenVPN configuration handling component directly.

Public advisories published by VulnCheck at https://vulncheck.com/advisories/asus-ovpn-rce describe the vulnerability and list the impacted models. The associated EPSS score rose from lower values to a peak of 0.0712 on 2025-12-11 before receding to the current 0.0312, indicating a period of elevated exploitation interest after disclosure.

EU & UK References

Vulnerability details

ASUS routers supporting custom OpenVPN profiles are vulnerable to a code execution vulnerability. An authenticated and remote attacker can execute arbitrary operating system commands by uploading a crafted OVPN profile. Known affected routers include ASUS ExpertWiFi, ASUS RT-AX55, ASUS RT-AX58U,…

more

ASUS RT-AC67U, ASUS RT-AC68R, ASUS RT-AC68U, ASUS RT-AX86, ASUS RT-AC86U, ASUS RT-AX88U, and ASUS RT-AX3000.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References