ASUS RT-AC58U – Multiple Stored and Reflected Cross-Site Scripting (XSS) Vulnerabilities

Disclosure Status

State

disclosed

Disclosed on

April 09, 2026

Last updated

April 09, 2026

Description

Finding

Discovered by analyzing the ASUS RT-AC58U web interface, which allowed multiple pages and endpoints to be abused for injecting malicious HTML/JS.

Reproducibility

Send crafted input (e.g., script or HTML) to vulnerable endpoints such as Advanced_ASUSDDNS_Content.asp, Logout.asp, ajax_status.xml, etc., on ASUS RT-AC58U ≤ 3.0.0.4.380_6516.

Impact

Medium-severity Cross-Site Scripting (XSS) (CVSS 6.1). Remote attackers can inject scripts into the router UI, potentially leading to session hijack or credential theft.

Patches

Not specified here; update ASUS firmware to a later version that fixes XSS issues.

Workarounds

Disable or restrict access to the admin web interface; use strong authentication.

References

https://github.com/remix30303/AsusXSS

Details

Vulnerability

CVE-2018-18291

Affected product(s)

ASUS RT-AC58U ≤ 3.0.0.4.380_6516

Credit

Adrian "syrex1013" Dacka