Format string error in Asus products - CVE-2023-39239

 

Format string error in Asus products - CVE-2023-39239

Published: September 6, 2023


Vulnerability identifier: #VU80483
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-39239
CWE-ID: CWE-134
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Asus
Affected software:
RT-AX55
RT-AX56U_V2
RT-AC86U

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a format string error in the API of the general setting function. A remote attacker can supply a specially crafted input that contains format string specifiers and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


How to mitigate CVE-2023-39239

Install updates from vendor's website.

Sources