CVE-2023-35086

ASUS RT-AX56U V2 & RT-AC86U - Format String -1

Description

It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by directly using input as a format string when calling syslog in logmessage_normal function, in the do_detwan_cgi module of httpd. A remote attacker with administrator privilege can exploit this vulnerability to perform remote arbitrary code execution, arbitrary system operation or disrupt service. This issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529.

Remediation

Solution:

RT-AX56U V2: update firmware version to 3.0.0.4_386_51598 RT-AC86U: update firmware version 3.0.0.4.386_51915

References

Link	Tags
https://www.twcert.org.tw/tw/cp-132-7240-a5f96-1.html	third party advisory

Frequently Asked Questions

What is the severity of CVE-2023-35086?: CVE-2023-35086 has been scored as a high severity vulnerability.
How to fix CVE-2023-35086?: To fix CVE-2023-35086: RT-AX56U V2: update firmware version to 3.0.0.4_386_51598 RT-AC86U: update firmware version 3.0.0.4.386_51915
Is CVE-2023-35086 being actively exploited in the wild?: It is possible that CVE-2023-35086 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~74% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-35086?: CVE-2023-35086 affects ASUS RT-AX56U V2, ASUS RT-AC86U.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Remediation

Category

CWE-134 – Use of Externally-Controlled Format String

References

Frequently Asked Questions