Release ASUS RT-AX86U Pro Firmware version 3.0.0.6.102_34406 2025/10/28

[bbunge]

Version 3.0.0.6.102_34406

58.21 MB

2025/10/28

SHA-256 ：A96AD6D8E21F44591E7285984F8A25655DE8492C5E435D5803E1574B9CB3C4D7

- Enhanced system stability.
- Enhanced input validation and refactored legacy string handling routines to ensure robust memory management.
- Mitigated security risks in AiCloud service by enforcing strict credential verification, implementing robust file path validation, and hardening command execution logic to prevent unauthorized access and manipulation of system resources.
- Implemented comprehensive validation and expanded command filtering in the web history API.
- Strengthened input validation and directory handling in the VPN configuration upload interface.
- Fixed an issue that allowed certain user settings to be bypassed, improving overall user control and protection.

(Having problems with the download link)
Asus support page: https://www.asus.com/us/networking-...86u-pro/helpdesk_bios?model2Name=RT-AX86U-Pro

 

[jksmurf]

Well there you go… here it is. just had to be patient.

 

[bbunge]

Tried to upgrade the node. Got a firmware upgrade unsuccessful. :-(

Edit: for some reason my Mac had problems unzipping the file. Trying again with the node.

All is well. Router and AiMesh node upgraded! Am surprised that there was no recommendation to factory reset and use a 10 digit password.

 

[bennor]

Funny just checked half an hour or so ago and no update. Anyway, direct link to the firmware, copy and paste it into your browser.

https://dlcdnets.asus.com/pub/ASUS/wireless/RT-AX86U%20Pro/FW_RT_AX86U_Pro_300610234406.zip

 

[Justinh]

Hmm ... why no warning to do a firmware reset?

 

[SteverinoLA]

I had to change the %20 to a space for the download to work.

 

[Intrepid]

This link works to the download page:

RT-AX86U Pro｜WiFi Routers｜ASUS USA

AX5700 Dual Band WiFi 6 Gaming Router, Mobile Game Mode, AiProtection Pro, WPA3, Parental Control, Mesh WiFi support, 2.5G Port, Gaming Port, Adaptive QoS, Port Forwarding

www.asus.com

 

[DarkKnight75]

Finally..updated..all good!

 

[Smedley]

Aren't we still missing the updates from the last round?


Security Enhancements
- Password Policy Upgrade – Minimum 10 characters with at least 1 letter, 1 digit and 1 special symbol, and no consecutive identical characters; hardens defense against brute-force attacks.
- HTTPS on 8443 – Management interface now served over TLS by default.
- UPnP Disabled – Universal Plug and Play starts in the off state for reduced surface exposure.
- AiCloud Authentication Hardening (CWE-287) – Added layered verification.
- Authentication Logic Refactor – Removed redundant code paths for a lean sign-in flow.
- Memory Safety Guard (CWE-476) – Introduced null-reference protections across critical services.
- Enhanced IPsec Parameter Validation – The existing input checks have been hardened.
- Data Exposure Mitigation (CWE-200) – Reinforced controls on sensitive pathways.
- Detailed Audit Trails – Expanded logging within the authentication module.

System Improvements
- Connection Stability – Core algorithms refined for steadier links.
- Scheduling Accuracy – Timed tasks execute reliably under PPPoE, PPTP and L2TP WAN modes.
- Client List Maintenance – Resolved an issue that prevented offline devices from being removed from the client list.

 

[bbunge]

Aren't we still missing the updates from the last round?


Security Enhancements
- Password Policy Upgrade – Minimum 10 characters with at least 1 letter, 1 digit and 1 special symbol, and no consecutive identical characters; hardens defense against brute-force attacks.
- HTTPS on 8443 – Management interface now served over TLS by default.
- UPnP Disabled – Universal Plug and Play starts in the off state for reduced surface exposure.
- AiCloud Authentication Hardening (CWE-287) – Added layered verification.
- Authentication Logic Refactor – Removed redundant code paths for a lean sign-in flow.
- Memory Safety Guard (CWE-476) – Introduced null-reference protections across critical services.
- Enhanced IPsec Parameter Validation – The existing input checks have been hardened.
- Data Exposure Mitigation (CWE-200) – Reinforced controls on sensitive pathways.
- Detailed Audit Trails – Expanded logging within the authentication module.

System Improvements
- Connection Stability – Core algorithms refined for steadier links.
- Scheduling Accuracy – Timed tasks execute reliably under PPPoE, PPTP and L2TP WAN modes.
- Client List Maintenance – Resolved an issue that prevented offline devices from being removed from the client list.

Do not think many will miss the 10 character password.

 

[colossus]

Successful using Web-GUI Administration | Firmware Upgrade feature.

 

[bennor]

Hmm ... why no warning to do a firmware reset?

Aren't we still missing the updates from the last round?
<snip>

Similar observation was made earlier yesterday to the ASUS ROG Rapture GT-AXE16000 Firmware version 3.0.0.6.102_36422 (2025/10/28). One suggestion in a later post in that discussion was try changing the router password to see if it forces the new 10 character requirement. Or perform a reset and see if the new password requirement is forced on QiS setup.

Also wondered the same yesterday in the RT-AX86U Pro abandoned thread prior to this firmware release if the August/September fixes other routers received would be included. Asus release notes tend to be a bit vague leaving one to scratch their heads wondering if fixes other routers received were included in this router's firmware.

 

[fruitcornbread]

Also wondered the same yesterday in the RT-AX86U Pro abandoned thread prior to this firmware release if the August/September fixes other routers received would be included. Asus release notes tend to be a bit vague leaving one to scratch their heads wondering if fixes other routers received were included in this router's firmware.

Practically every router that didn't have the initial August firmware and just received the October firmware are in the same situation. On an unrelated note, the only router I found that made mention of August patch notes is RT-AX1800S V2 and RT-AX57M with FW 3.0.0.4.388_33965, but they use Mediatek SoC and it's still missing some parts of the patch notes like the following:
From October patch notes missing

- Mitigated security risks in AiCloud service by enforcing strict credential verification, implementing robust file path validation, and hardening command execution logic to prevent unauthorized access and manipulation of system resources.

From August patch notes missing:

- AiCloud Authentication Hardening (CWE-287) – Added layered verification.
System Improvements
- Connection Stability – Core algorithms refined for steadier links.
- Scheduling Accuracy – Timed tasks execute reliably under PPPoE, PPTP and L2TP WAN modes.
- Client List Maintenance – Resolved an issue that prevented offline devices from being removed from the client list.

However, it could be because it doesn't have AiCloud.