CVE-2023-35087

ASUS RT-AX56U V2 & RT-AC86U - Format String - 2

Description

It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by lacking validation for a specific value when calling cm_processChangedConfigMsg in ccm_processREQ_CHANGED_CONFIG function in AiMesh system. An unauthenticated remote attacker can exploit this vulnerability without privilege to perform remote arbitrary code execution, arbitrary system operation or disrupt service. This issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529.

Remediation

Solution:

  • RT-AX56U V2: update firmware version to 3.0.0.4_386_51598 RT-AC86U: update firmware version to 3.0.0.4.386_51915

Category

9.8
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 1.06% Top 25%
Third-Party Advisory org.tw
Affected: ASUS RT-AX56U V2
Affected: ASUS RT-AC86U
Published at:
Updated at:

References

Link Tags
https://www.twcert.org.tw/tw/cp-132-7249-ab2d1-1.html third party advisory

Frequently Asked Questions

What is the severity of CVE-2023-35087?
CVE-2023-35087 has been scored as a critical severity vulnerability.
How to fix CVE-2023-35087?
To fix CVE-2023-35087: RT-AX56U V2: update firmware version to 3.0.0.4_386_51598 RT-AC86U: update firmware version to 3.0.0.4.386_51915
Is CVE-2023-35087 being actively exploited in the wild?
It is possible that CVE-2023-35087 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-35087?
CVE-2023-35087 affects ASUS RT-AX56U V2, ASUS RT-AC86U.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.