CVE-2023-35087

CRITICAL

ASUS RT-AX56U V2 & RT-AC86U Firmware - Remote Code Execution via Format String in AiMesh

Title source: llm

Description

It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by lacking validation for a specific value when calling cm_processChangedConfigMsg in ccm_processREQ_CHANGED_CONFIG function in AiMesh system. An unauthenticated remote attacker can exploit this vulnerability without privilege to perform remote arbitrary code execution, arbitrary system operation or disrupt service. This issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529.

References (1)

Core 1

Core References

Third Party Advisory

https://www.twcert.org.tw/tw/cp-132-7249-ab2d1-1.html

Scores

CVSS v3 9.8

EPSS 0.0089

EPSS Percentile 54.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-134

Status published

Products (2)

asus/rt-ac86u_firmware 3.0.0.4_386_51529

asus/rt-ax56u_v2_firmware 3.0.0.4.386_50460

Published Jul 21, 2023

Tracked Since Feb 18, 2026