GCVE - cpe:2.3:h:asuswrt-merlin_project:rt-ac66u_b1:-:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:h:asuswrt-merlin_project:rt-ac66u_b1:-:*:*:*:*:*:*:*

part: h version: - update: *

Vendor	Asuswrt Merlin Project (`ab19736f-8fd7-5445-b9bc-1c2919cda709`)
Product	Rt Ac66U B1 (`f9a61268-0277-54b2-a182-8ce9cc7b888b`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2018-18320`	not_vulnerable	2026-06-03 14:38:22.733084	Details available An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because exec.php has a popen call. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution Published: 2018-10-15T06:00:00.000Z Updated: 2024-09-16T22:41:30.909Z Open on db.gcve.eu Reference links https://github.com/qoli/Merlin.PHP/issues/26 http://blog.51cto.com/010bjsoft/2298828	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-18319`	not_vulnerable	2026-06-03 14:38:22.724092	Details available An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution Published: 2018-10-15T06:00:00.000Z Updated: 2024-09-16T16:28:44.054Z Open on db.gcve.eu Reference links http://blog.51cto.com/010bjsoft/2298902 https://github.com/qoli/Merlin.PHP/issues/27	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-11420`	not_vulnerable	2026-06-03 14:36:28.399107	Details available Stack-based buffer overflow in ASUS_Discovery.c in networkmap in Asuswrt-Merlin firmware for ASUS devices and ASUS firmware for ASUS RT-AC5300, RT_AC1900P, RT-AC68U, RT-AC68P, RT-AC88U, RT-AC66U, RT-AC66U_B1, RT-AC58U, RT-AC56U, RT-AC55U, RT-AC52U, RT-AC51U, RT-N18U, RT-N66U, RT-N56U, RT-AC3200, RT-AC3100, RT_AC1200GU, RT_AC1200G, RT-AC1200, RT-AC53, RT-N12HP, RT-N12HP_B1, RT-N12D1, RT-N12+, RT_N12+_PRO, RT-N16, and RT-N300 devices allows remote attackers to execute arbitrary code via long device information that is mishandled during a strcat to a device list. Published: 2017-07-18T05:00:00.000Z Updated: 2024-08-05T18:12:39.551Z Open on db.gcve.eu Reference links https://asuswrt.lostrealm.ca/changelog http://www.openwall.com/lists/oss-security/2017/07/13/1	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-11345`	not_vulnerable	2026-06-03 14:36:28.080458	Details available Stack buffer overflow in networkmap in Asuswrt-Merlin firmware for ASUS devices and ASUS firmware for ASUS RT-AC5300, RT_AC1900P, RT-AC68U, RT-AC68P, RT-AC88U, RT-AC66U, RT-AC66U_B1, RT-AC58U, RT-AC56U, RT-AC55U, RT-AC52U, RT-AC51U, RT-N18U, RT-N66U, RT-N56U, RT-AC3200, RT-AC3100, RT_AC1200GU, RT_AC1200G, RT-AC1200, RT-AC53, RT-N12HP, RT-N12HP_B1, RT-N12D1, RT-N12+, RT_N12+_PRO, RT-N16, and RT-N300 devices allows remote attackers to execute arbitrary code on the router by hosting a crafted device description XML document (that includes a serviceType element) at a URL specified within a Location header in an SSDP response. Published: 2017-07-16T23:00:00.000Z Updated: 2024-08-05T18:05:30.586Z Open on db.gcve.eu Reference links https://asuswrt.lostrealm.ca/changelog http://www.openwall.com/lists/oss-security/2017/07/14/3	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-11344`	not_vulnerable	2026-06-03 14:36:28.055659	Details available Global buffer overflow in networkmap in Asuswrt-Merlin firmware for ASUS devices and ASUS firmware for ASUS RT-AC5300, RT_AC1900P, RT-AC68U, RT-AC68P, RT-AC88U, RT-AC66U, RT-AC66U_B1, RT-AC58U, RT-AC56U, RT-AC55U, RT-AC52U, RT-AC51U, RT-N18U, RT-N66U, RT-N56U, RT-AC3200, RT-AC3100, RT_AC1200GU, RT_AC1200G, RT-AC1200, RT-AC53, RT-N12HP, RT-N12HP_B1, RT-N12D1, RT-N12+, RT_N12+_PRO, RT-N16, and RT-N300 devices allows remote attackers to write shellcode at any address in the heap; this can be used to execute arbitrary code on the router by hosting a crafted device description XML document at a URL specified within a Location header in an SSDP response. Published: 2017-07-16T23:00:00.000Z Updated: 2024-08-05T18:05:30.580Z Open on db.gcve.eu Reference links https://asuswrt.lostrealm.ca/changelog http://www.openwall.com/lists/oss-security/2017/07/14/3	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.