What's new

ASUS RT-AX88U - externally-controlled format string - security vulnerability

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


Regular Contributor
TWCERT/CC reporting a serious RT-AX88U Vulnerability. From the looks of things, it appears the vulnerability is related to OpenVPN.
Source: https://www.twcert.org.tw/tw/lp-132-1-1-60.html

Screenshot 2023-09-16 160926.png

Screenshot 2023-09-16 161503.png
Yes, the RT-AX88U is 'old'. The older the more time to hack it.

This is one reason why having the latest hardware (if/when possible) is actually a safety/security bonus. With the older routers, sure, a fix may (or may not) be released. With a newer model, it will be (and hopefully in a timely manner).

Sadly, I wouldn't expect this from a 2017 model, today. But Asus seems to be the only manufacturer that actually goes above and beyond any others with regards to this type of support, even for their older models.
That's a really new one, not documented by all means as of now.
What's interesting is targeting AX88U using the latest firmware. But it mention OpenVPN and AFAIK Asus is using the same OpenVPN release across different platforms on the same software track.
So if it's confirmed, it will definitely be bigger than AX88U.

I partially agree with L&LD point - a newer hardware tends to get newer software for longer. But that's not a bullet proof statement if we look at how many releases AC68U got - likely more than any other model (if not several models combined).

As long as AX88U is not end of life just keep upgrading. Every now and then s..t hits the fan and you get a major bug. But considering fairly limited Asus' dependency on a handful of chipsets, I fail to see a not-end of life model at any higher risk than other. It may get upgrades slower (read ROG routers that are lagging most times), but that's the best we can do. Yeap, keeping track on CVE as they are published with details makes sense, but most of us are unable to read those. But for ex if you're using OpenVPN and there's a bug in that code...makes sense to turn off that feature temporarily until the upgrade is published.
So much for the doom-mongers saying it won't receive a timely fix. :rolleyes:

You need to read the whole post before jumping to your presumptions.
Am I missing something, or isn't this already fixed? 23748 everyone, stop flappin


  • Selection_001.png
    110.5 KB · Views: 26
Last edited:
Last edited:
Wow, that firmware was released July 26th. Can't find any mention of the CVE in this or the previous release.
They don't list everything fixed in changelog. They never list whatever was broken in the process as well. :)

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!