Full Report
CISA is alerting federal agencies in the U.S. of hackers exploiting a recently patched ScreenConnect vulnerability that could lead to executing remote code on the server. [...]
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in ASUS Routers and Craft CMS Exploited in Attacks
## CVE Details
- **CVE ID:** CVE-2021-32030
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Authentication Bypass (Implied)
- **CVE ID:** CVE-2023-39780
- **CVSS Score:** 8.8 (High)
- **CWE:** OS Injection (Implied)
- **CVE ID:** CVE-2024-56145
- **CVSS Score:** 9.3 (Critical)
- **CWE:** Code Injection (Implied)
- **CVE ID:** CVE-2025-35939
- **CVSS Score:** 6.9 (Medium)
- **CWE:** Unauthenticated PHP Code Introduction (Implied)
## Affected Systems
- **Products:** ASUS router devices, Craft CMS
- **Versions (ASUS):** GT-AC2900, Lyra Mini (for CVE-2021-32030); RT-AX55 (for CVE-2023-39780)
- **Versions (Craft CMS):** Varies based on the specific vulnerability (CVE-2024-56145 and CVE-2025-35939)
- **Configurations:**
- CVE-2023-39780 requires authentication.
- CVE-2025-35939 is exploitable by an unauthenticated client.
## Vulnerability Description
The summary references four distinct vulnerabilities:
1. **CVE-2021-32030 (ASUS):** An authentication bypass flaw affecting ASUS GT-AC2900 and Lyra Mini devices.
2. **CVE-2023-39780 (ASUS RT-AX55):** An OS Injection vulnerability requiring authentication. This flaw has been chained by threat actors with other bypass techniques to form the AyySSHush botnet.
3. **CVE-2024-56145 (Craft CMS):** A Code Injection vulnerability that can lead to Remote Code Execution (RCE) under specific conditions.
4. **CVE-2025-35939 (Craft CMS):** A vulnerability allowing an unauthenticated client to introduce PHP code to known file locations on the Craft CMS server.
## Exploitation
- **Status:** **Exploited in the wild** (Specifically mentioned for CVE-2023-39780, and generally implied for all four as CISA added them to the KEV catalog).
- **Complexity:** Not explicitly detailed, but chaining two vulnerabilities (CVE-2023-39780 + un-CVE'd bypass) suggests **Medium** to **High** complexity for the full botnet operation.
- **Attack Vector:** Likely **Network** based, given the nature of router and web application exploits.
## Impact
As all four vulnerabilities are in the CISA KEV catalog, significant impact is confirmed across all metrics:
- **Confidentiality:** High (RCE, code injection potential).
- **Integrity:** High (RCE, arbitrary code execution/modification).
- **Availability:** High (Botnet creation, system compromise).
## Remediation
### Patches
The article states that CISA expects federal agencies to implement **vendor-recommended mitigations**. Specific patch versions are not detailed in the provided text, but immediate patching is required.
### Workarounds
Agencies must either implement vendor-recommended mitigations or **discontinue using the affected products** by June 23.
## Detection
- **Indicators of Compromise:** Presence of the AyySSHush botnet indicators on ASUS RT-AX55 devices that have been exploited (likely involving unauthorized SSH backdoors).
- **Detection Methods and Tools:** Organizations should check CISA's KEV catalog for specific artifacts related to the exploitation of these four CVEs.
## References
- CISA KEV Catalog listing (Implied)
- Vendor advisories for ASUS and Craft CMS (Implied)
- GreyNoise report on AyySSHush botnet: hxxps://www.bleepingcomputer.com/news/security/botnet-hacks-9-000-plus-asus-routers-to-add-persistent-ssh-backdoor/