CVE-2024-0401
Published: 20 May 2024
Summary
CVE-2024-0401 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 12.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
ASUS routers supporting custom OpenVPN profiles contain an OS command injection vulnerability tracked as CVE-2024-0401 and CWE-78. Affected devices include the ExpertWiFi series along with RT-AX55, RT-AX58U, RT-AC67U, RT-AC68R, RT-AC68U, RT-AX86, RT-AC86U, RT-AX88U, and RT-AX3000. The flaw carries a CVSS 3.1 score of 7.2 and permits execution of arbitrary operating-system commands when a crafted OVPN profile is processed.
An authenticated remote attacker with administrative privileges can exploit the issue over the network by uploading a malicious profile, achieving full command execution on the router without user interaction. The attack requires high privileges and targets the OpenVPN configuration handling component directly.
Public advisories published by VulnCheck at https://vulncheck.com/advisories/asus-ovpn-rce describe the vulnerability and list the impacted models. The associated EPSS score rose from lower values to a peak of 0.0712 on 2025-12-11 before receding to the current 0.0312, indicating a period of elevated exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16197
Vulnerability details
ASUS routers supporting custom OpenVPN profiles are vulnerable to a code execution vulnerability. An authenticated and remote attacker can execute arbitrary operating system commands by uploading a crafted OVPN profile. Known affected routers include ASUS ExpertWiFi, ASUS RT-AX55, ASUS RT-AX58U,…
more
ASUS RT-AC67U, ASUS RT-AC68R, ASUS RT-AC68U, ASUS RT-AX86, ASUS RT-AC86U, ASUS RT-AX88U, and ASUS RT-AX3000.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.