Overview
CVE-2025-59369 details a SQL injection vulnerability discovered in the bwdpi component of ASUS router firmware. This vulnerability allows a remote attacker, with valid authentication credentials, to potentially execute arbitrary SQL queries against the router’s database. This could lead to unauthorized data access, modification, or even complete compromise of the device.
Technical Details
The vulnerability resides within the bwdpi component, likely due to insufficient sanitization of user-supplied input that is later used in SQL queries. A remote, authenticated attacker can inject malicious SQL code into specific input fields. When the router processes this manipulated input, it executes the injected SQL code, potentially granting the attacker access to sensitive data stored within the router’s database.
The exact vulnerable parameters and SQL injection vector are not publicly detailed here for security reasons. Refer to the official ASUS Security Advisory for specific details regarding affected firmware versions and the scope of the vulnerability.
CVSS Analysis
As of the publication of this article, the CVSS score for CVE-2025-59369 is listed as N/A by ASUS. This means a CVSS score has not yet been formally calculated for this vulnerability. However, given that it’s a SQL Injection affecting a network device, it is advisable to take the necessary actions. The risk level should be considered high, especially in environments where unauthorized access to network devices could have significant consequences.
A CVSS score will likely be calculated by ASUS or a third-party vulnerability database in the future and added to relevant security advisories.
Possible Impact
Successful exploitation of CVE-2025-59369 could have severe consequences:
- Data Breach: Attackers could gain access to sensitive information stored within the router’s database, such as Wi-Fi passwords, VPN credentials, and network configuration details.
- Device Compromise: The attacker could potentially modify the router’s configuration, install malicious firmware, or use the router as a pivot point for further attacks within the network.
- Denial of Service: By manipulating the database, the attacker could potentially disrupt the router’s functionality, leading to a denial of service.
- Lateral Movement: If the router is connected to a larger network, the attacker could use the compromised router to gain access to other devices and systems within the network.
Mitigation and Patch Steps
The primary mitigation for CVE-2025-59369 is to update your ASUS router firmware to the latest version. ASUS has released a security update to address this vulnerability. Follow these steps:
- Visit the ASUS support website for your specific router model.
- Download the latest firmware version.
- Follow the instructions provided by ASUS to update your router’s firmware. Ensure you follow the instructions carefully to avoid bricking your device.
- After updating the firmware, it’s recommended to change your router’s administrator password to a strong, unique password.
Refer to the Security Update for ASUS Router Firmware section on the ASUS Security Advisory for specific firmware versions and instructions.
