Vulnerability CVE-2018-14993

Published: 2019-04-25

The ASUS Zenfone V Live Android device with a build fingerprint of asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1802.78-20180313:user/release-keys and the Asus ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys both contain a pre-installed platform app with a package name of com.asus.splendidcommandagent (versionCode=1510200090, versionName= that contains an exported service named com.asus.splendidcommandagent.SplendidCommandAgentService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, obtain the user's text messages, and more.



(Improper Neutralization of Special Elements used in a Command ('Command Injection'))

Vendor: ASUS
Product: Zenfone 3 max firmware 
Product: Zenfone v live firmware 

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
Exploit range
Attack complexity
No required
Confidentiality impact
Integrity impact
Availability impact


Related CVE
An issue was discovered in Asuswrt-Merlin 384.6. There is a stack-based buffer overflow issue in parse_req_queries function in wanduck.c via a long string over UDP, which may lead to an information leak.
AsusPTPFilter.sys on Asus Precision TouchPad hardware has a Pool Overflow associated with the \\.\AsusTP device, leading to a DoS or potentially privilege escalation via a crafted DeviceIoControl call.
A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG...
The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, which is vulnerable to Slowloris HTTP Denial of Service: an attacker can cause a Denial of Service (DoS) by sending headers very slowly to keep HTTP or HTTPS connections and associ...
System command injection in appGet.cgi on ASUS RT-AC3200 version allows attackers to execute system commands via the "load_script" URL parameter.
Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version allows attackers to read arbitrary sections of memory and CPU registers via the "hook" URL parameter.
Buffer overflow in appGet.cgi on ASUS RT-AC3200 version allows attackers to inject system commands via the "hook" URL parameter.
Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version allows attackers to cause state-changing actions with specially crafted URLs.

Copyright 2019,


Back to Top