CVE-2023-35967 – Two heap-based buffer overflow vulnerabilities ... (How to Fix)

📋 TL;DR

Two heap-based buffer overflow vulnerabilities in Yifan YF325 routers allow remote attackers to execute arbitrary code or cause denial of service via specially crafted network requests. The vulnerabilities affect Yifan YF325 routers running version v1.0_20221108. Attackers can exploit these without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

Yifan YF325

Versions: v1.0_20221108

Operating Systems: Embedded router OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the gwcfg_cgi_set_manage_post_data functionality specifically. All devices running this firmware version are vulnerable.

📦 What is this software?

Yf325 Firmware by Yifanwireless

View all CVEs affecting Yf325 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, lateral movement to internal networks, and persistent backdoor installation.

🟠

Likely Case

Remote code execution allowing attackers to intercept network traffic, modify device configuration, or use device as botnet node.

🟢

If Mitigated

Denial of service if exploit fails or is detected, potentially causing device reboot or service disruption.

🌐 Internet-Facing: HIGH - The vulnerability is in network request handling and can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - While primarily internet-facing, compromised internal devices could be used for lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending specially crafted network requests but does not require authentication. Technical details are publicly available in Talos reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found

Restart Required: Yes

Instructions:

1. Contact Yifan vendor for updated firmware
2. Backup current configuration
3. Upload and install patched firmware
4. Reboot device
5. Verify firmware version

🔧 Temporary Workarounds

Network Segmentation

linux

Isolate YF325 routers from internet and restrict access to management interfaces

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Access Control

linux

Restrict web management interface to trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Replace affected devices with supported alternatives
Implement strict network monitoring and anomaly detection for exploit attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at http://router-ip/status or SSH/Telnet to device and run 'cat /proc/version'

Check Version:

curl -s http://router-ip/status | grep -i version || ssh admin@router-ip 'cat /proc/version'

Verify Fix Applied:

Verify firmware version is no longer v1.0_20221108 and test with vulnerability scanner if available

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to management CGI endpoints
Multiple failed allocation attempts in system logs
Process crashes related to gwcfg_cgi

Network Indicators:

Unusual HTTP POST requests with large or malformed data to router management interface
Traffic patterns suggesting buffer overflow attempts

SIEM Query:

source="router_logs" AND ("gwcfg_cgi" OR "malloc failed" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2023-35967

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: October 11, 2023

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1788 Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1788 Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1788

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35967, you might also want to check these: