8 Flaws: ASUS Routers Urgently Need Patch for Authentication Bypass (CVE-2025-59366, CVSS 9.4)
Ddos 
ASUS has released an urgent security update to address a sweeping list of eight potential vulnerabilities in multiple router models, spanning various components including AiCloud, bwdpi, WebDAV, and the IFTTT integration feature. These flaws range in severity, with one critical vulnerability reaching a CVSS score of 9.4.
The most severe vulnerability is an Authentication Bypass issue in AiCloud, tracked as CVE-2025-59366 (CVSS 9.4). This flaw can be triggered by “an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization“. The 3.0.0.4_386 series firmware is among those affected by this high-impact issue.
Another high-severity issue is a Path Traversal vulnerability in WebDAV, CVE-2025-12003 (CVSS 8.2), which may allow “unauthenticated remote attackers to impact the integrity of the device“.
Attackers can also leverage two distinct vulnerabilities within the bwdpi (bandwidth deep packet inspection) component, both rated at CVSS 7.5:
- Command Injection (CVE-2025-59370): A remote, authenticated attacker could “potentially execute arbitrary commands, leading to the device executing unintended instructions.“
- SQL Injection (CVE-2025-59369): This flaw could allow a remote, authenticated attacker to “potentially execute arbitrary SQL queries, leading to unauthorized data access.”
A separate Authentication Bypass vulnerability in the IFTTT integration feature, CVE-2025-59371 (CVSS 7.5), could be leveraged by a remote, authenticated attacker to “potentially gain unauthorized access to the device“. However, this specific flaw “does not affect Wi-Fi 7 series models.”
The advisory also details several other medium-to-high severity flaws:
- Stack Buffer Overflow (CVE-2025-59365, CVSS 6.9): An authenticated attacker can send a crafted request, “potentially impacting the availability of the device.”
- Path Traversal (CVE-2025-59372, CVSS 6.9): A remote, authenticated attacker could exploit this to “write files outside the intended directory, potentially affecting device integrity.”
- Integer Underflow (CVE-2025-59368, CVSS 6.0): Located in AiCloud, an authenticated attacker may trigger this, “potentially impacting the availability of the device.”
ASUS has released the latest firmware (released in October 2025) to mitigate all disclosed vulnerabilities. ASUS “strongly recommends that all users update their router firmware to the latest version immediately” to mitigate the risks.
Users can find the newest firmware on the ASUS support page or the relevant product page.
Related Posts:
- ASUS Urges Windows 11 Upgrade: The Dawn of AI-Powered PCs and the End of Windows 10
- Multiple vulnerabilities affect all versions of ASUS routers
- CISA Adds 5 Actively Exploited Vulnerabilities to KEV Catalog: ASUS Routers, Craft CMS, and ConnectWise Targeted
- ASUS Joins the Ranks of CVE Numbering Authorities
- CVE-2025-2492: Critical ASUS Router Vulnerability Requires Immediate Firmware Update
Donate