VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 7, 2023· Updated Sep 26, 2024

ASUS RT-AX55、RT-AX56U_V2 - Format String - 1

CVE-2023-39238

Description

It is identified a format string vulnerability in ASUS RT-AX56U V2. This vulnerability is caused by lacking validation for a specific value within its set_iperf3_svr.cgi module. A remote attacker with administrator privilege can exploit this vulnerability to perform remote arbitrary code execution, arbitrary system operation or disrupt service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A format string vulnerability in ASUS RT-AX55 and RT-AX56U V2 routers allows authenticated remote administrators to execute arbitrary code via the set_iperf3_svr.cgi module.

Vulnerability

The set_iperf3_svr.cgi module in ASUS RT-AX55 (firmware version 3.0.0.4.386_50460) and RT-AX56U V2 (firmware version 3.0.0.4.386_50460) contains a format string vulnerability. The module fails to validate a specific input value, allowing an attacker to inject format specifiers. [1]

Exploitation

An attacker must have network access and valid administrator credentials to reach the vulnerable API. By sending a crafted request to set_iperf3_svr.cgi with malicious format string tokens, the attacker can trigger memory corruption and achieve code execution. [1]

Impact

Successful exploitation enables remote arbitrary code execution, arbitrary system operations, or denial of service. The attacker gains full control over the affected router, compromising confidentiality, integrity, and availability. [1]

Mitigation

ASUS has released fixed firmware versions: RT-AX55 update to 3.0.0.4.386_51948 and RT-AX56U V2 update to 3.0.0.4.386_51948. Users should apply the updates immediately. No workaround is available. [1]

References
  1. ASUS RT-AX55、RT-AX56U_V2 - Format String - 1

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Asus/RT-AX56U V2llm-fuzzy2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: 3.0.0.4.386_50460
  • Asus/RT-AX55cpe-rescue
    Range: 3.0.0.4.386_50460

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.