VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 21, 2023· Updated Oct 24, 2024

ASUS RT-AX56U V2 & RT-AC86U - Format String -1

CVE-2023-35086

Description

It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by directly using input as a format string when calling syslog in logmessage_normal function, in the do_detwan_cgi module of httpd. A remote attacker with administrator privilege can exploit this vulnerability to perform remote arbitrary code execution, arbitrary system operation or disrupt service.

This issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A format string vulnerability in ASUS RT-AX56U V2 and RT-AC86U allows authenticated remote attackers to execute arbitrary code via crafted input to the httpd do_detwan_cgi module.

Vulnerability

The httpd daemon's do_detwan_cgi module contains a format string vulnerability in the logmessage_normal function, which directly passes user-supplied input as the format string argument to syslog. This allows an attacker with administrator privileges to inject format specifiers. Affected firmware versions: RT-AX56U V2 3.0.0.4.386_50460 and RT-AC86U 3.0.0.4_386_51529. [1]

Exploitation

The attacker must have administrator credentials to access the web interface. By sending a crafted HTTP request to the vulnerable endpoint, the attacker can supply format string tokens (e.g., %x, %n) in the input. The logmessage_normal function then passes this input directly to syslog, allowing the attacker to read or write arbitrary memory locations. [1]

Impact

Successful exploitation enables remote arbitrary code execution with root privileges, arbitrary system operations, or denial of service. The attacker gains full control over the affected device. [1]

Mitigation

ASUS has released fixed firmware versions: RT-AX56U V2 update to 3.0.0.4_386_51598 and RT-AC86U update to 3.0.0.4.386_51915. No workarounds are documented, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog. [1]

References
  1. ASUS RT-AX56U V2 & RT-AC86U - Format String -1

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Asus/RT-AX56U V2llm-create2 versions
    3.0.0.4.386_50460+ 1 more
    • (no CPE)range: 3.0.0.4.386_50460
    • (no CPE)range: 3.0.0.4.386_50460
  • Asus/RT-AC86Ullm-fuzzy2 versions
    3.0.0.4_386_51529+ 1 more
    • (no CPE)range: 3.0.0.4_386_51529
    • (no CPE)range: 3.0.0.4_386_51529

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.