What's new

Security Concern for our routers or nah?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Todd Snigg

New Around Here
So Google has been blasting my Pixel phone's news feed with articles about a set of new vulnerabilities for the RT-AC1900p, which I own, running Merlin's build.

Examples: 1st Article 2nd Article

They reference CVE-2020-15498 and CVE-2020-15499 which appear to be a MTM and XSS type of issue.

Is this something I need to be concerned about if I'm running Merlin's build 384.17? Seems like maybe it's not an issue since I don't have my router set to auto-update firmware. But I was just curious. I didn't see much other discussion on this site and searched for those CVE #s to no avail.

Thanks,

Todd
 
Asuswrt-Merlin only checks for updates, it doesn't try to download them.
New firmware availability check will remain automatic, and firmware upload will remain manual. I don't support automatic "live updates". Just like it has always been with Asuswrt-Merlin. Only nodes running the stock Asus firmware will be able to perform live updates.

I'd be more concerned about custom scripts running on the router, lots of people seem to use wget --no-check-certificate without understanding what it does.
 
Aside from the fact that my firmware doesn't have live update capabilities, I have been enforcing certificate checks for many years now.
 
Aside from the fact that my firmware doesn't have live update capabilities, I have been enforcing certificate checks for many years now.

Thanks Merlin for the peace of mind. We all really appreciate your work.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top