CVE-2023-35086
Published: 21 July 2023
Summary
CVE-2023-35086 is a high-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Asus Rt-Ac86U Firmware. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A format string vulnerability exists in the do_detwan_cgi module of httpd on ASUS RT-AX56U V2 and RT-AC86U routers. The flaw is caused by the logmessage_normal function directly passing untrusted input as a format string to syslog and affects firmware versions 3.0.0.4.386_50460 on the RT-AX56U V2 and 3.0.0.4_386_51529 on the RT-AC86U.
A remote attacker who already possesses administrator credentials can exploit the weakness over the network to achieve arbitrary code execution, arbitrary system operations, or denial of service.
Public advisories published by TWCERT at the referenced URLs describe the issue and affected firmware but do not provide additional mitigation details beyond the CVE record. The associated EPSS score has remained at its peak value of 0.7589 since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-39121
Vulnerability details
It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by directly using input as a format string when calling syslog in logmessage_normal function, in the do_detwan_cgi module of httpd. A remote attacker…
more
with administrator privilege can exploit this vulnerability to perform remote arbitrary code execution, arbitrary system operation or disrupt service. This issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.