VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 7, 2023· Updated Sep 26, 2024

ASUS RT-AX55、RT-AX56U_V2 - Format String - 3

CVE-2023-39240

Description

It is identified a format string vulnerability in ASUS RT-AX56U V2’s iperf client function API. This vulnerability is caused by lacking validation for a specific value within its set_iperf3_cli.cgi module. A remote attacker with administrator privilege can exploit this vulnerability to perform remote arbitrary code execution, arbitrary system operation or disrupt service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A format string vulnerability in ASUS RT-AX55 and RT-AX56U V2's set_iperf3_cli.cgi allows authenticated admin attackers to achieve remote code execution.

Vulnerability

A format string vulnerability exists in the iperf client function API of ASUS RT-AX55 and RT-AX56U V2 routers. The flaw is located in the set_iperf3_cli.cgi module, which fails to properly validate a specific value passed to it, allowing an attacker-controlled format string to be processed. The affected firmware versions are 3.0.0.4.386_50460 for both models [1].

Exploitation

An attacker must have administrator privileges on the device to access the vulnerable API. With such access, the attacker can send a crafted request containing format string specifiers (e.g., %x, %n) to the set_iperf3_cli.cgi endpoint. The lack of validation means that these specifiers are interpreted by the underlying printf-style function, enabling the attacker to read or write arbitrary memory locations [1].

Impact

Successful exploitation allows a remote authenticated administrator to perform arbitrary code execution on the device, execute arbitrary system operations, or cause a denial-of-service condition. This results in full compromise of the router's confidentiality, integrity, and availability [1].

Mitigation

ASUS has released fixed firmware versions to address the vulnerability: RT-AX55 should be updated to 3.0.0.4.386_51948, and RT-AX56U V2 should be updated to 3.0.0.4.386_51948. Users are advised to apply the update as soon as possible. No workarounds are mentioned in the advisory [1].

References
  1. ASUS RT-AX55、RT-AX56U_V2 - Format String - 3

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Asus/RT-AX56U V2llm-fuzzy2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: 3.0.0.4.386_50460
  • Asus/RT-AX55cpe-rescue
    Range: 3.0.0.4.386_50460

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.