CVE-2023-35087

CRITICAL

Asus Rt-ac86u Firmware - Format String Vulnerability

Title source: rule

Description

It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by lacking validation for a specific value when calling cm_processChangedConfigMsg in ccm_processREQ_CHANGED_CONFIG function in AiMesh system. An unauthenticated remote attacker can exploit this vulnerability without privilege to perform remote arbitrary code execution, arbitrary system operation or disrupt service. This issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529.

References (1)

[Third Party Advisory] https://www.twcert.org.tw/tw/cp-132-7249-ab2d1-1.html

Scores

CVSS v3 9.8

EPSS 0.0141

EPSS Percentile 80.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-134

Status published

Products (2)

asus/rt-ac86u_firmware 3.0.0.4_386_51529

asus/rt-ax56u_v2_firmware 3.0.0.4.386_50460

Published Jul 21, 2023

Tracked Since Feb 18, 2026