A remote command execution vulnerability was discovered in the ASUS DSL-N12E_C1 firmware version 126.96.36.199. The exploit was discovered and written upon by Fakhri Zulkifli and was only tested on version 188.8.131.52_345. The vulnerability’s impact on older versions remains unknown at this stage. To mitigate this vulnerability, ASUS has released an update (version 184.108.40.206_502) for the firmware of its devices and users are encouraged to upgrade the BIOS and firmware of their devices to this latest version to avoid the risks posed by this vulnerability.
DSL-N12E_C1 is a 300 Mbps wireless ADSL modem router by ASUS. The device features extensive area coverage, stronger signal broadcasting, faster speeds, and a simple 30-second router setup. The quick setup allows users to configure the device right from the browsers of their handheld devices.
Product support for this wireless device on the Asus website offers a firmware update to version 220.127.116.11_502. This update brings several bug fixes for both Annex A and Annex B. These fixes include a resolution to the UI failed to login issue as well as a failed to take effect issue under LAN > LAN IP. The update also enhances the functionality of the web server whilst improving the frequently asked questions resource link on common trouble shooting concerns. In addition to this, the update has improved the QoS default rule list and it has fixed a multitude of other UI related issues as well.
As the latest update for this ASUS wireless device has been out for over a month, it seems that the vulnerability only comes forward due to the neglect on the part of users to upgrade their systems. Details regarding the code fault sparking this vulnerability are outlined by Zulkifli in his exploit post. As the issue has already been resolved, a CVE was not requested for this vulnerability and the risk is deemed low given that a solution is only an update away.