Security researcher Joshua Drake published an advisory warning that "all known firmware versions for applicable routers (RT-AC66U, RT-N66U, etc.) are assumed vulnerable."
The bug allows an attacker on the same network to take full administrative control of the router without the need for a password. The only known fix is to disable the troublesome infosvr service by killing the process when the affected device boots. That has to be performed each time the device restarts.
A working exploit was also published alongside the advisory.
While it may not be a major issue for those on private networks at home, those in offices or on public Wi-Fi are most at risk.
We've reached out to Asus but did not hear back at the time of writing.