VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 18, 2023· Updated Sep 25, 2024

ASUS RT-AX88U - externally-controlled format string

CVE-2023-41349

Description

ASUS RT-AX88U contains a format string vulnerability in OpenVPN that allows authenticated remote attackers to leak memory or cause permanent denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ASUS RT-AX88U contains a format string vulnerability in OpenVPN that allows authenticated remote attackers to leak memory or cause permanent denial of service.

Vulnerability

The ASUS RT-AX88U router contains an externally-controlled format string vulnerability in its Advanced Open VPN function. The flaw resides in how the device processes exported OpenVPN configuration files. Affected firmware versions are prior to 3.0.0.4_388_23748. An authenticated remote attacker can inject format string specifiers into the configuration, leading to unintended behavior [1].

Exploitation

An attacker must have valid authentication credentials to the router's management interface. By exporting the OpenVPN configuration and embedding format string tokens (e.g., %x, %n) into user-controlled fields, the attacker triggers the vulnerability when the device parses the configuration [1].

Impact

Successful exploitation can result in sensitive information leakage via memory read or cause the device to reset, leading to permanent denial of service. The CVSS score is 8.8 (High) with impacts on confidentiality, integrity, and availability [1].

Mitigation

ASUS has released firmware version 3.0.0.4_388_23748 to fix the vulnerability. Users should update immediately. No workarounds are provided, and the CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].

References
  1. ASUS RT-AX88U - externally-controlled format string

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Asus/RT-AX88Ullm-fuzzy2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range:

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.