CVE-2025-15101
CSRF in ASUS Router Web Interface Enables Privileged Command Execution
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: ASUS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| asus | asus_firmware | to 3.0.0.6_102 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue found in the web management interface of certain ASUS router models.
It allows an attacker to perform actions on the affected device using the privileges of an authenticated user without their consent.
Specifically, it can enable execution of system commands through unintended mechanisms.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow unauthorized actions to be performed on your ASUS router with the privileges of a logged-in user.
This could lead to execution of system commands, potentially compromising the security and functionality of your device.