CVE-2021-32030

Name: CVE-2021-32030
Creator: NVD / NIST
Published: 2021-05-06T15:15:07.973+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10Actively ExploitedEPSS 99.35%

Last modified Jun 17, 2026

CVE-2021-32030 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 and Lyra Mini before 3.0.0.4_384_46630 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. CISA has confirmed active exploitation in the wild. EPSS estimates a 99.35% chance of exploitation in the next 30 days.

Description

The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 and Lyra Mini before 3.0.0.4_384_46630 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations. Note: All versions of Lyra Mini and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability, Consumers can mitigate this vulnerability by disabling the remote access features from WAN.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

99.35%

99.9th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Jun 23, 2025.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Asus	Lyra Mini Firmware	< 3.0.0.4.384.46630
Asus	Gt-Ac2900 Firmware	< 3.0.0.4.386.42643

References

https://github.com/atredispartners/advisories/blob/master/ATREDIS-2020-0010.mdBroken Link, Exploit, Third Party Advisory
https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-Gaming-Routers/RT-AC2900/HelpDesk_BIOS/Product
https://www.asus.com/us/supportonly/lyra%20mini/helpdesk_bios/Product
https://www.atredis.com/blog/2021/4/30/asus-authentication-bypassExploit
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2020-0010.mdBroken Link, Exploit, Third Party Advisory
https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-Gaming-Routers/RT-AC2900/HelpDesk_BIOS/Product
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32030US Government Resource

Timeline

Published: May 6, 2021
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2021-32030?

How severe is CVE-2021-32030?

CVE-2021-32030 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 99.35% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2021-32030?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-32030?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST