CVE-2025-15101

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web management interface of certain ASUS router models. This vulnerability potentially allows actions to be performed with the existing privileges of an authenticated user on the affected device, including the ability to execute system commands through unintended mechanisms. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.asus.com/security-advisory/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:asus:asus_firmware:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-26 03:16

Updated : 2026-03-26 16:43

NVD link : CVE-2025-15101

Mitre link : CVE-2025-15101

CVE.ORG link : CVE-2025-15101

JSON object : View

Products Affected

asus

asus_firmware

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2025-15101", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-26T03:16:02.400", "references": [{"url": "https://www.asus.com/security-advisory/", "tags": ["Vendor Advisory"], "source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web management interface of certain ASUS router models. This vulnerability potentially allows actions to be performed with the existing privileges of an authenticated user on the affected device, including the ability to execute system commands through unintended mechanisms.\nRefer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information."}, {"lang": "es", "value": "Una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) ha sido identificada en la interfaz de gesti\u00f3n web de ciertos modelos de router ASUS. Esta vulnerabilidad permite potencialmente que se realicen acciones con los privilegios existentes de un usuario autenticado en el dispositivo afectado, incluyendo la capacidad de ejecutar comandos del sistema a trav\u00e9s de mecanismos no intencionados.\nConsulte la secci\u00f3n 'Security Update for ASUS Router Firmware' en el Aviso de Seguridad de ASUS para m\u00e1s informaci\u00f3n."}], "lastModified": "2026-03-26T16:43:20.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:asus:asus_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16C7B1D4-C9E4-420A-974E-816CEE4C159E", "versionEndIncluding": "3.0.0.6_102"}], "operator": "OR"}]}], "sourceIdentifier": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1"}