CVE-2023-35087 – A format string vulnerability in ASUS AiMesh sy... (How to Fix)

Q: What is the severity of CVE-2023-35087?

CVE-2023-35087 has a CVSS score of 9.8 (CRITICAL). A format string vulnerability in ASUS AiMesh system allows unauthenticated remote attackers to execute arbitrary code on affected routers. This affects ASUS RT-AX56U V2 and RT-AC86U routers with specific vulnerable firmware versions. Attackers can gain full control of the device without authentication.

📋 TL;DR

A format string vulnerability in ASUS AiMesh system allows unauthenticated remote attackers to execute arbitrary code on affected routers. This affects ASUS RT-AX56U V2 and RT-AC86U routers with specific vulnerable firmware versions. Attackers can gain full control of the device without authentication.

💻 Affected Systems

Products:

ASUS RT-AX56U V2
ASUS RT-AC86U

Versions: RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529

Operating Systems: ASUSWRT firmware

Default Config Vulnerable: ⚠️ Yes

Notes: AiMesh feature must be enabled for exploitation. Default configuration includes AiMesh functionality.

📦 What is this software?

Rt Ac86u Firmware by Asus

View all CVEs affecting Rt Ac86u Firmware →

Rt Ax56u V2 Firmware by Asus

View all CVEs affecting Rt Ax56u V2 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent malware, intercept all network traffic, pivot to internal networks, or brick the device.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, and use as attack platform for further network intrusion.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and AiMesh features disabled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Format string vulnerabilities typically have low exploitation complexity. No authentication required makes this particularly dangerous.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check ASUS support site for latest firmware updates

Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-7249-ab2d1-1.html

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to Administration > Firmware Upgrade. 3. Check for updates. 4. Download and install latest firmware. 5. Reboot router after installation.

🔧 Temporary Workarounds

Disable AiMesh

all

Disable AiMesh functionality to remove attack vector

Navigate to AiMesh > System Settings > Disable AiMesh

Restrict WAN Access

all

Block external access to router management interface

Configure firewall to block WAN access to router ports (typically 80, 443, 8443)

🧯 If You Can't Patch

Place router behind firewall with strict inbound rules
Disable remote management and AiMesh features

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under Administration > Firmware Upgrade

Check Version:

Login to router web interface and check firmware version

Verify Fix Applied:

Verify firmware version is newer than affected versions listed in advisory

📡 Detection & Monitoring

Log Indicators:

Unusual process execution
Failed authentication attempts to AiMesh services
Format string error messages in system logs

Network Indicators:

Unusual outbound connections from router
Traffic to unexpected ports from router
AiMesh protocol anomalies

SIEM Query:

source="router" AND (event="format_string" OR process="cm_processChangedConfigMsg" OR service="AiMesh")

📊 Metadata

CVE ID: CVE-2023-35087

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-134

Published: July 21, 2023

Last Updated: November 21, 2024

🔗 References

https://www.twcert.org.tw/tw/cp-132-7249-ab2d1-1.html Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-7249-ab2d1-1.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35087, you might also want to check these: