The ASUS RP-AC52 access point, firmware version 18.104.22.168s and possibly earlier, is vulnerable to cross-site request forgery and command injection.
CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2016-6557
The RP-AC52 web interface does not sufficiently verify whether a valid request was intentionally provided by the user. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.
A remote, unauthenticated attacker may be able to trick an authenticated user into clicking a specially crafted link, resulting in settings modification, privilege escalation, or complete control of the system.
Apply an update
Restrict access and use strong passwords
Thanks to Ian Smith for reporting these vulnerabilities.