ASUS RT Series Routers FTP Service - Default anonymous access

From: kyle Lovett <>
To: bugtraq <>
Subject: ASUS RT Series Routers FTP Service - Default anonymous access

Five ASUS RT series routers suffer from a vendor vulnerability that
default FTP service to anonymous access, full read/write permissions.
The service, which is activated from the administrative console does
not give proper instructions nor indications that the end user needs
to manually add a user to the FTP access table.

The vendor was first alerted to this issue in late June of 2012, and
then four other times officially from July 2012 to December 2012. It
was not until January of this year, when the editors for the Norwegian
publication IDG/PC World went to ASUS that any official response came.

This vulnerability has been exploited aggressively for sometime now,
and as a rolling count which has been kept ongoing since July 2012,
over 30,000 unique IP address, at one time or another have had their
FTP service shared.

The FTP services, when not secured, allows for full read/write access
to any external storage devices attached to the usb drives on the

The vendor has issued an official (beta) patch for the RT-AC68U  as of
mid-January, and plans on additional patches in the coming week.

Models Include:


CWE-287: Improper Authentication
CVSS v2 Vector (AV:N/AC:L/Au:N/C:C/I:C/A:N/E:H/RL:OF/RC:C)

CVSS Base Score 9.4
Impact Subscore 9.2
Exploitability Subscore 10
CVSS Temporal Score 8.2
Overall CVSS Score 8.2

Many have reported malware being uploaded into the sync share folders,
large amounts of unauthorized file sharing and most importantly the
theft of entire hard drives of personal information. Over 7,300 units
are still vulnerable to this weakness as of today.

It is strongly urged that those with any of the above routers check to
ensure that their FTP service has been secured.


Research Contact - Kyle Lovett
Discovered - June, 2012

Copyright © 1995-2020 All rights reserved.