CVE-2023-35086
ASUS RT-AX56U V2 & RT-AC86U - Format String -1
In short
A format string vulnerability in ASUS routers allows an attacker with admin access to send specially crafted input that gets mishandled by the logging function, potentially leading to unauthorized code execution or system disruption.
Technical detail
A format string vulnerability exists in the logmessage_normal function of the do_detwan_cgi module within httpd, where unsanitized user input is passed directly as a format string to syslog. An authenticated remote attacker can leverage this to achieve arbitrary code execution, arbitrary system operations, or denial of service on affected RT-AX56U V2 and RT-AC86U devices.
Summary generated and translated by AI from the official description.
It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by directly using input as a format string when calling syslog in logmessage_normal function, in the do_detwan_cgi module of httpd. A remote attacker with administrator privilege can exploit this vulnerability to perform remote arbitrary code execution, arbitrary system operation or disrupt service.
This issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →