What happened

CISA added CVE-2021-32030 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-06-02, signaling confirmed in-the-wild exploitation CISA KEV. The KEV entry names ASUS Lyra Mini and ASUS ROG Rapture GT-AC2900 routers as affected products under “ASUS Routers” CISA KEV. The vulnerability is classified as Improper Authentication (CWE-287), enabling unauthorized access to the administrative interface NVD CVE-2021-32030. MITRE’s record confirms the CVE assignment and references the same weakness class MITRE CVE-2021-32030.

CISA’s short description warns the impacted products could be end-of-life or end-of-service and advises discontinuing use if mitigations are unavailable CISA KEV. The KEV entry sets a remediation due date of 2025-06-23 for federal agencies, reflecting urgency tied to active exploitation CISA KEV. The vulnerability is tracked under CWE-287, a class routinely associated with privilege bypass on network appliances NVD CVE-2021-32030.

Why it matters

Inclusion in KEV means exploitation is not hypothetical; it’s observed and validated by CISA CISA KEV. For routers, unauthorized entry to the admin plane collapses trust boundaries by granting control over configuration and management endpoints NVD CVE-2021-32030. When devices are EoL/EoS, patches may never arrive, elevating the risk profile and making “discontinue use” the only defensible outcome where mitigations do not exist CISA KEV.

CVE-2021-32030 maps to Improper Authentication (CWE-287), a weakness that undermines identity checks at the gate—precisely the control router admins rely on to restrict management functions NVD CVE-2021-32030. The combination of KEV status and an auth bypass on edge gear places these models high on operator triage lists for rapid containment CISA KEV.

Technical detail

The vulnerability allows an attacker to gain unauthorized access to the router’s administrative interface due to improper authentication (CWE-287) NVD CVE-2021-32030. Affected products named in KEV are ASUS Lyra Mini and ASUS ROG Rapture GT-AC2900 under the “ASUS Routers” umbrella CISA KEV. The KEV short description explicitly calls out the EoL/EoS possibility and the recommendation to discontinue product utilization if mitigations are not available CISA KEV.

Public records for this CVE currently provide the identification, affected product family, and weakness classification without vendor-side technical internals (e.g., handlers, endpoints, or version granularity) MITRE CVE-2021-32030. Operators should treat the impact surface as the full administrative interface given the CWE-287 classification and KEV summary language NVD CVE-2021-32030. The federal remediation due date of 2025-06-23 indicates CISA’s expectation for rapid action in response to observed exploitation CISA KEV.

Defense

• Discontinue use of affected ASUS Lyra Mini and GT-AC2900 devices where mitigations are unavailable, per KEV guidance CISA KEV.
• If vendor mitigations exist, apply them immediately and validate the administrative interface is not internet-exposed (aligns with KEV required action) CISA KEV.
• Prioritize inventory and isolation: locate these models and segment or remove their management plane from untrusted networks while decommissioning as needed (prioritization justified by KEV status) CISA KEV.
• For U.S. Federal agencies, meet the KEV due date (2025-06-23) and document disposition if devices are EoL/EoS and cannot be remediated CISA KEV.

Operating assumption for response: a working auth bypass exists in the wild against these models, per KEV inclusion CISA KEV. Treat any observed access to the admin interface from unexpected sources as an incident until proven otherwise NVD CVE-2021-32030.

Lyrie Verdict

CVE-2021-32030 is an active exploitation item against edge routers with an authentication weakness (CWE-287), so manual triage will lag automated scanning and spray attempts CISA KEV. Lyrie’s posture is to hunt management-plane abuse at machine speed: continuous discovery of admin endpoints on router IPs, correlation to KEV/CVE fingerprints, and autonomous suppression of unauthorized admin sessions before lateral movement can even start NVD CVE-2021-32030. For this CVE, the strategy is simple—treat any authentication-free or anomalous admin access against ASUS Lyra Mini or GT-AC2900 as malicious by default and enforce immediate quarantine and operator notification, mapped directly to KEV urgency CISA KEV. This is how you outpace rogue AI-driven exploitation loops that probe and compromise unmanaged edge gear in minutes, not hours MITRE CVE-2021-32030.