Description

A vulnerability in the web-based management interface of Cisco Small Business RV160 and RV260 Series VPN Routers could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands using root-level privileges on the affected device. To exploit this vulnerability, the attacker must have valid Administrator-level credentials on the affected device.

Related CPE's

o

cisco

rv160_vpn_router_firmware

Vulnerable

h

cisco

rv160_vpn_router

-

o

cisco

rv160w_wireless-ac_vpn_router_firmware

Vulnerable

h

cisco

rv160w_wireless-ac_vpn_router

-

o

cisco

rv260_vpn_router_firmware

Vulnerable

h

cisco

rv260_vpn_router

-

o

cisco

rv260p_vpn_router_with_poe_firmware

2

h

cisco

rv260p_vpn_router_with_poe

2

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-cmd-exe-n47kJQLE

Vendor Advisory

Weaknesses

[email protected]

Primary
CWE-20

[email protected]

Secondary
CWE-77

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.2 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2023-01-20T07:15:16.713

2 years ago

Last modified

2024-01-25T17:15:27.277

1 year ago