ASUSWRT Information Disclosure on update_applist.asp



Tested Versions

  • ASUSWRT (2018/02/01)

Product URL(s)


ASUSWRT is the firmware that is shipped with modern ASUS routers. ASUSWRT has a web-based interface, so it doesn’t need a separate app, or restrict what you can change via mobile devices – you get full access to everything, from any device that can run a web browser.


An unauthenticated user can request the http://<ROUTERIP>/update_applist.asp to see if a USB device is attached to the router and if there are apps installed on the router. Although getting to know if a USB storage is attached to the device does seems not a vulnerability, this will let the attacker knows more about the router.

The information can be seen when you view the source for the update_applist.asp page:

Vendor Response

The vendor has acknowledged the issue and issued a firmware update to correct it.


  • 2019-02-19 Vendor disclosure
  • 2019-02-25 Vendor acknowledged and patched


Discovered by CodeBreaker of STAR Labs

Want to participate in such cutting-edge research?

We are hiring!

Find Out More