ASUS GT-BE98-Pro Firmware version 3.0.0.6.102_39260 does not include the CVE-2025-15101 fix!

[cc666]

This is confirmed by Asus. Its a 8.5/10 on the security threat, why is the fix not availiable.

CC

 

[bennor]

... why is the fix not availiable.

Why ask here? Asus generally does not respond on this site. If you spoke to Asus, why not ask them. Wild speculation is they will release new firmware at some future time with the fix and indicate such (CVE patch) in the firmware release notes like they've done many times in the past.

Release - ASUS GT-BE98 Pro Firmware version 3.0.0.6.102_39260 (2026/03/12)

Version 3.0.0.6.102_39260 68.74 MB 2026/03/12 Improvements: Optimized Wi-Fi roaming stability for devices supporting 802.11k but not allowing 11v. Improved Wi-Fi roaming compatibility and stability for iOS 26 devices. Refined accessibility-related UI and interaction details. Enhanced stability...

www.snbforums.com

Asus Router Firmware Security Bulletin for CVE-2025-15101 (03/25/2026)

Per the https://www.asus.com/security-advisory/ site. A notice for firmware 3.0.0.6_102 and earlier posted on 3/25/2026. Security Update for ASUS Router Firmware ASUS has released a security update for ASUS routers to mitigate Reported vulnerability and strongly recommends updating to the latest...

www.snbforums.com

 

[cc666]

Why ask here? Asus generally does not respond on this site. If you spoke to Asus, why not ask them. Wild speculation is they will release new firmware at some future time with the fix and indicate such (CVE patch) in the firmware release notes like they've done many times in the past.

Release - ASUS GT-BE98 Pro Firmware version 3.0.0.6.102_39260 (2026/03/12)

Version 3.0.0.6.102_39260 68.74 MB 2026/03/12 Improvements: Optimized Wi-Fi roaming stability for devices supporting 802.11k but not allowing 11v. Improved Wi-Fi roaming compatibility and stability for iOS 26 devices. Refined accessibility-related UI and interaction details. Enhanced stability...

www.snbforums.com

Asus Router Firmware Security Bulletin for CVE-2025-15101 (03/25/2026)

Per the https://www.asus.com/security-advisory/ site. A notice for firmware 3.0.0.6_102 and earlier posted on 3/25/2026. Security Update for ASUS Router Firmware ASUS has released a security update for ASUS routers to mitigate Reported vulnerability and strongly recommends updating to the latest...

www.snbforums.com

My point being its a critical issue, they had firmware that fixed it but never released it. Seems no sense of urgency to me.

CC

 

[jzchen]

My point being its a critical issue, they had firmware that fixed it but never released it. Seems no sense of urgency to me.

CC

Yes I can understand your concern. I asked my friend there and (quite quickly) the moderator on ZenTalk came and apologized. It is perfectly fine to post a firmware and remove it for whatever reason, but not so good practice to send an email out to update to a non-existent version/non-existent fix.

I did notice that for other models that I did receive emails for (this model is a tester for me and unregistered), that the firmware version to fix the CVE was already released a week or two prior to the email. Also I noticed that those release notes do not mention the specific CVE of concern. Only more/most recent Merlin firmware is still noting specific CVEs in the change log.

 

[RMerlin]

Those CSRF security flaws are not trivial to exploit. There is no real need to panic over them. You would need to be actively logged into the router webui at the same time that you access a malicious link that would then inject code into your logged webui.