CVE-2023-35086

Name of the Vulnerable Software and Affected Versions ASUS RT-AX56U V2 version 3.0.0.4.386 50460 ASUS RT-AC86U version 3.0.0.4 386 51529

Description A format string vulnerability is identified in the ASUS RT-AX56U V2 and RT-AC86U routers. This issue is caused by directly using input as a format string when calling syslog in the logmessage normal function, in the do detwan cgi module of httpd. A remote attacker with administrator privilege can exploit this vulnerability to perform remote arbitrary code execution, arbitrary system operation, or disrupt service.

Recommendations For ASUS RT-AX56U V2 version 3.0.0.4.386 50460, consider disabling the logmessage normal function in the do detwan cgi module of httpd until a patch is available. For ASUS RT-AC86U version 3.0.0.4 386 51529, consider disabling the logmessage normal function in the do detwan cgi module of httpd until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.