What happened

CISA added CVE-2023-39780 (ASUS RT-AX55 OS command injection) to the Known Exploited Vulnerabilities catalog, signaling active exploitation in the wild CISA KEV. The entry specifies ASUS RT-AX55 routers as affected and describes a remote, authenticated path to arbitrary command execution via OS command injection (CWE-78) CISA KEV. The CISA short description also notes “as represented by CVE-2023-41346,” indicating a related representation in public records for the same flaw class CISA KEV.

NVD lists CVE-2023-39780 and classifies it under CWE-78 (OS Command Injection), aligning with the CISA description of arbitrary command execution risk NVD CVE-2023-39780. The MITRE CVE record confirms the identifier and public registration of the issue for ASUS RT-AX55 MITRE CVE-2023-39780.

CISA’s KEV entry includes due dates and mandated actions for federal agencies; for this CVE the entry indicates it was added on 2025-06-02 with a remediation due date of 2025-06-23 CISA KEV. CISA directs organizations to apply vendor mitigations or discontinue use if mitigations are unavailable, consistent with KEV catalog guidance CISA KEV.

Why it matters

Inclusion in the KEV catalog means the vulnerability is known to be exploited and warrants priority remediation across fleets CISA KEV. ASUS RT-AX55 is a mass-market Wi‑Fi 6 router; exploitation enabling arbitrary OS command execution can grant deep control of the device’s management plane NVD CVE-2023-39780. Command injection on a perimeter device can be leveraged to pivot, proxy traffic, or stage malware distribution to downstream clients, multiplying risk relative to host-only compromises NVD CVE-2023-39780.

Because the flaw requires authentication, compromises may track with weak credentials, credential reuse, or session theft against exposed management interfaces, which increases the value of prevention and strict access control CISA KEV. KEV entries are prioritized because adversaries actively operationalize them at scale, often faster than manual patch cycles can react CISA KEV.

Technical detail

CVE-2023-39780 is categorized as CWE-78: OS Command Injection, where attacker-controlled input is executed by the underlying OS without proper sanitization NVD CVE-2023-39780. For RT-AX55, successful exploitation allows a remote, authenticated attacker to run arbitrary commands on the router’s operating system, which is the core risk detailed by CISA’s KEV note CISA KEV. The vulnerability affects ASUS RT-AX55 devices specifically, per the CVE metadata and KEV entry MITRE CVE-2023-39780.

Practically, OS command injection on a router enables execution of system utilities, file manipulation, configuration tampering, and arbitrary network egress under the device’s identity, which can facilitate covert persistence or lateral movement NVD CVE-2023-39780. Because authentication is required, the viable attack surface typically aligns with wherever the management interface is reachable and credentials can be obtained or replayed, matching the KEV’s “remote, authenticated” posture CISA KEV. The CVE record’s alignment across CISA, NVD, and MITRE corroborates the classification and affected product, supporting rapid, authoritative remediation decisions MITRE CVE-2023-39780.

Defense

• Prioritize remediation in accordance with CISA KEV timelines: apply vendor mitigations immediately or discontinue use if no mitigation is available CISA KEV.
• Restrict management plane exposure: ensure the RT-AX55 admin interface is not internet-facing and is reachable only from trusted segments or via secured pathways, reducing opportunities for the remote, authenticated path described by KEV CISA KEV.
• Enforce strong authentication hygiene on router admin access to blunt credential-driven exploitation consistent with the “remote, authenticated” requirement CISA KEV.
• Track and validate the specific CVE in asset and vulnerability tooling to ensure RT-AX55 coverage aligns with the CWE-78 command injection classification and remediation status NVD CVE-2023-39780.

For federal agencies, these mitigations align with KEV-mandated action windows and enforcement expectations on known-exploited issues CISA KEV.

Lyrie Verdict

Routers are prime targets for automated exploitation loops: once credentials are obtained, command injection can be scripted to push payloads, alter DNS, or proxy traffic at line rate, with minimal human-in-the-loop NVD CVE-2023-39780. KEV inclusion means adversaries are already doing this at scale; human SOC triage won’t keep pace with machine-speed abuse on management planes CISA KEV. Lyrie’s posture is autonomous: detect command-execution side effects in real time—management login from anomalous sources, abrupt changes in router egress patterns consistent with shell-launched tools, and cross-asset correlation to the specific CVE signature—then suppress automatically without waiting for manual response CISA KEV. Tie detections directly to CVE-2023-39780/CWE-78 semantics to cut false positives and block rogue-AI-driven spray-and-auth campaigns before they weaponize your perimeter MITRE CVE-2023-39780.