CVE-2023-35965 – Two heap-based buffer overflow vulnerabilities ... (How to Fix)

📋 TL;DR

Two heap-based buffer overflow vulnerabilities in Yifan YF325 router's httpd manage_post functionality allow remote code execution via specially crafted network requests. The integer overflow leads to improper memory allocation, enabling attackers to execute arbitrary code. Affects Yifan YF325 router users running vulnerable firmware.

💻 Affected Systems

Products:

Yifan YF325

Versions: v1.0_20221108

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface which is typically enabled by default.

📦 What is this software?

Yf325 Firmware by Yifanwireless

View all CVEs affecting Yf325 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level remote code execution, allowing attacker persistence, data theft, and network pivoting.

🟠

Likely Case

Remote code execution leading to router takeover, credential harvesting, and man-in-the-middle attacks on network traffic.

🟢

If Mitigated

Denial of service or limited information disclosure if exploit fails to achieve full RCE.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details published in Talos reports; CVSS 9.8 indicates trivial exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates
2. Download latest firmware
3. Upload via web interface
4. Reboot router

🔧 Temporary Workarounds

Disable Remote Management

all

Disable web management interface from WAN/external networks

Network Segmentation

all

Isolate router management interface to trusted network segment

🧯 If You Can't Patch

Replace vulnerable hardware with supported alternative
Implement strict network ACLs blocking all traffic to router management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface: if version is v1.0_20221108, system is vulnerable

Check Version:

Check via web interface or SSH if enabled: cat /etc/version

Verify Fix Applied:

Verify firmware version has been updated to a version after v1.0_20221108

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to manage_post endpoint
Memory allocation errors in system logs

Network Indicators:

HTTP POST requests with oversized or malformed data to router management port

SIEM Query:

source="router_logs" AND (uri="*manage_post*" AND (content_length>10000 OR status=500))

📊 Metadata

CVE ID: CVE-2023-35965

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: October 11, 2023

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1787 Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1787 Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1787

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35965, you might also want to check these: