CVE: CVE-2018-20333

Tested Versions: ASUSWRT (2018/02/01)

Product URL(s):

ASUSWRT is the firmware that is shipped with modern ASUS routers. ASUSWRT has a web-based interface, so it doesn’t need a separate app, or restrict what you can change via mobile devices – you get full access to everything, from any device that can run a web browser.


An unauthenticated user can request the http://<ROUTERIP>/update_applist.asp to see if a USB device is attached to the router and if there are apps installed on the router. Although getting to know if a USB storage is attached to the device does seems not a vulnerability, this will let the attacker knows more about the router.

The information can be seen when you view the source for the update_applist.asp page:


  • 2018-12-14 Vendor disclosure

Vendor Response

The vendor has acknowledged the issue and issued a firmware update to correct it.