VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 21, 2023· Updated Oct 24, 2024

ASUS RT-AX56U V2 & RT-AC86U - Format String - 2

CVE-2023-35087

Description

It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by lacking validation for a specific value when calling cm_processChangedConfigMsg in ccm_processREQ_CHANGED_CONFIG function in AiMesh system. An unauthenticated remote attacker can exploit this vulnerability without privilege to perform remote arbitrary code execution, arbitrary system operation or disrupt service. This issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A format string vulnerability in ASUS RT-AX56U V2 and RT-AC86U AiMesh allows unauthenticated remote code execution.

Vulnerability

A format string vulnerability exists in the cm_processREQ_CHANGED_CONFIG function within the AiMesh system of ASUS RT-AX56U V2 (firmware 3.0.0.4.386_50460) and RT-AC86U (firmware 3.0.0.4_386_51529). The function cm_processChangedConfigMsg fails to properly validate a specific value before using it as a format string argument, allowing an attacker to inject arbitrary format specifiers [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability over the network without requiring any prior privileges or user interaction. The attacker sends a crafted request to the AiMesh service that includes malicious format string tokens within the affected parameter. The lack of input validation causes the function to interpret these tokens, leading to memory corruption [1].

Impact

Successful exploitation enables arbitrary code execution with root privileges on the device. The attacker can perform arbitrary system operations, disrupt services, or fully compromise the router. This constitutes a complete compromise of confidentiality, integrity, and availability [1].

Mitigation

ASUS has released firmware updates to address this issue: RT-AX56U V2 should be updated to version 3.0.0.4_386_51598, and RT-AC86U should be updated to version 3.0.0.4.386_51915 [1]. No workarounds are documented; users are advised to apply these updates immediately.

References
  1. ASUS RT-AX56U V2 & RT-AC86U - Format String - 2

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Asus/RT-AC86Ullm-fuzzy2 versions
    =3.0.0.4_386_51529+ 1 more
    • (no CPE)range: =3.0.0.4_386_51529
    • (no CPE)range: 3.0.0.4_386_51529
  • Asus/RT-AX56U V2llm-fuzzy2 versions
    =3.0.0.4.386_50460+ 1 more
    • (no CPE)range: =3.0.0.4.386_50460
    • (no CPE)range: 3.0.0.4.386_50460

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.