CVE-2023-35087

EPSS 1.06%
Published 21.07.2023 08:15:09
Last modified 21.11.2024 08:07:57
Source twcert@cert.org.tw
Teams watchlist Login
Open Login

It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by lacking validation for a specific value when calling cm_processChangedConfigMsg in ccm_processREQ_CHANGED_CONFIG function in AiMesh system. An unauthenticated remote attacker can exploit this vulnerability without privilege to perform remote arbitrary code execution, arbitrary system operation or disrupt service.
This issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529.

Affected products Warnungen 0 Metrics 2 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Asus ≫ Rt-ac86u Firmware Version3.0.0.4_386_51529

Asus ≫ Rt-ac86u Version-

Asus ≫ Rt-ax56u V2 Firmware Version3.0.0.4.386_50460

Asus ≫ Rt-ax56u V2 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.06%	0.764

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
twcert@cert.org.tw	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-134 Use of Externally-Controlled Format String

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

https://www.twcert.org.tw/tw/cp-132-7249-ab2d1-1.html

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-35087

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-35087

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-35087

EUVD