Researchers at Nightwatch Cybersecurity spotted nearly 40 Asus RT routers vulnerable to attacks that could allow attackers to change router settings, exfiltrate data and steal WiFi passwords.
The routers contains at least one of five vulnerabilities including a lack of CSRF protection on the routers login page, a lack of CSRF on save settings, an XML endpoint that reveals WiFi Passwords, and two JSONP information disclosure flaws, one of which the developers don't consider a vulnerability, according to a May 9 blog post.
The attacks require the attacker to know the local IP address of the router which researchers said could probably be guessed or determined via Javascript APIs.
The issues were patched by Asus in a March 2017 firmware update, aside from the JSONP information disclosure flaw that isn't regarded as a vulnerability. Researchers recommend users change their default credentials and apply the latest firmware update.
