Information disclosure in Asus Rt-ac66u_firmware

CVE-2014-2719

Advanced_System_Content.asp in the ASUS RT series routers with firmware before 3.0.0.4.374.5517, when an administrator session is active, allows remote authenticated users to obtain the administrator user name and password by reading the s…

Vulnerability class: Information Disclosure

EPSS: 0.003 (54.4th percentile) — read the EPSS interpretation.

Affected products

Asus Rt-ac66u_firmware — versions 3.0.0.4.140, 3.0.0.4.220, 3.0.0.4.246
Asus Rt-ac68u
Asus Rt-ac68u_firmware — versions 3.0.0.4.374.4755, 3.0.0.4.374_4561, 3.0.0.4.374_4887
Asus Rt-n10e_firmware — versions 2.0.0.7, 2.0.0.10, 2.0.0.16
Asus Rt-n14u_firmware — versions 3.0.0.4.322, 3.0.0.4.356
Asus Rt-n16_firmware — versions 1.0.1.9, 1.0.2.3, 3.0.0.3.108
Asus Rt-n56u_firmware — versions 1.0.1.4, 1.0.1.4o, 1.0.1.7c
Asus Rt-n65u_firmware — versions 3.0.0.3.134, 3.0.0.3.176, 3.0.0.4.260
Asus Rt-n66u_firmware — versions 3.0.0.4.272, 3.0.0.4.370
T-mobile Tm-ac1900 — versions 3.0.0.4.376_3169

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

cve@mitre.org (x_refsource_MISC)
cve@mitre.org (x_refsource_CONFIRM)
20140416 ASUS RT-XXXX SOHO routers expose admin password, fixed in 3.0.0.4.374.5517 (mailing-list, x_refsource_FULLDISC)
cve@mitre.org (x_refsource_CONFIRM)