CVE-2023-35720 Overview
CVE-2023-35720 is a SQL Injection vulnerability affecting the ASUS RT-AX92U router's lighttpd web server, specifically within the mod_webdav.so module. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected ASUS RT-AX92U routers without requiring authentication.
The specific flaw exists within the mod_webdav.so module's request parsing functionality. When processing user-supplied input, the module fails to properly validate and sanitize strings before incorporating them into SQL queries. This lack of input validation enables attackers to inject malicious SQL statements, ultimately allowing them to extract sensitive information with root-level context.
Critical Impact
Network-adjacent attackers can exploit this SQL injection vulnerability without authentication to disclose sensitive information from the router, potentially exposing credentials, configuration data, and other critical system information.
Affected Products
- ASUS RT-AX92U Firmware version 3.0.0.4.386.46061
- ASUS RT-AX92U Hardware
Discovery Timeline
- 2024-05-03 - CVE-2023-35720 published to NVD
- 2025-08-12 - Last updated in NVD database
Technical Details for CVE-2023-35720
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) resides in the WebDAV module (mod_webdav.so) of the lighttpd web server running on ASUS RT-AX92U routers. The vulnerability allows unauthenticated network-adjacent attackers to craft malicious requests that inject SQL commands into backend database queries.
The attack surface is accessible from the adjacent network, meaning an attacker must have network proximity to the target router (such as being on the same local network or WiFi segment). The vulnerability requires no user interaction and no prior authentication, making it particularly dangerous in shared network environments.
The information disclosure occurs with root-level privileges, which means attackers can potentially access any data stored in the router's database, including administrative credentials, network configurations, connected device information, and other sensitive operational data.
Root Cause
The root cause of this vulnerability is improper input validation in the mod_webdav.so module. When parsing incoming WebDAV requests, the module directly incorporates user-supplied string values into SQL query construction without proper sanitization or parameterization. This allows specially crafted input containing SQL syntax to modify the intended query logic and extract unauthorized data from the database.
Attack Vector
The attack vector requires network adjacency, meaning the attacker must be positioned on the same network segment as the vulnerable router. The attack can be executed by:
- Connecting to the same network as the target ASUS RT-AX92U router
- Sending a crafted WebDAV request to the router's lighttpd web server
- Including malicious SQL injection payloads in request parameters processed by mod_webdav.so
- Extracting sensitive information from database responses
The vulnerability was tracked by the Zero Day Initiative as ZDI-CAN-16078 and published as ZDI-23-1166.
Detection Methods for CVE-2023-35720
Indicators of Compromise
- Unusual WebDAV requests to the router's web interface containing SQL-specific characters such as single quotes, double dashes, or UNION statements
- Anomalous traffic patterns from network-adjacent devices targeting the router's HTTP/HTTPS ports
- Unexpected database queries or errors in router logs indicating SQL injection attempts
- Evidence of data exfiltration or unauthorized access to router configuration files
Detection Strategies
- Monitor network traffic for WebDAV requests containing SQL injection patterns targeting the router interface
- Implement intrusion detection rules to identify SQL injection payloads in HTTP request parameters
- Review router access logs for repeated or unusual requests to WebDAV endpoints
- Deploy network segmentation monitoring to detect lateral movement from compromised adjacent devices
Monitoring Recommendations
- Enable detailed logging on the ASUS RT-AX92U router if available through firmware settings
- Configure network monitoring tools to alert on SQL injection attack signatures
- Implement periodic firmware version checks to ensure the device is running patched firmware
- Monitor for any unauthorized configuration changes or credential access on the router
How to Mitigate CVE-2023-35720
Immediate Actions Required
- Update the ASUS RT-AX92U firmware to the latest available version from the ASUS Support Page
- Restrict network access to trusted devices only to minimize adjacent network attack exposure
- Disable WebDAV functionality on the router if not required for normal operations
- Implement network segmentation to isolate the router management interface from untrusted network segments
Patch Information
ASUS has released firmware updates to address this vulnerability. Users should visit the ASUS RT-AX92U Support Page to download and install the latest firmware version. The vulnerability affects firmware version 3.0.0.4.386.46061 and potentially earlier versions.
For additional technical details about this vulnerability, refer to the Zero Day Initiative Advisory ZDI-23-1166.
Workarounds
- Disable WebDAV functionality on the router through the administration interface if the feature is not required
- Implement MAC address filtering to restrict which devices can access the router's management interface
- Place the router behind an additional firewall or network access control system to limit adjacent network exposure
- Consider using a VPN for remote management rather than exposing the router's web interface directly
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
