9.8

CVE-2022-20923

A vulnerability in the IPSec VPN Server authentication functionality of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to bypass authentication controls and access the IPSec VPN network. This vulnerability is due to the improper implementation of the password validation algorithm. An attacker could exploit this vulnerability by logging in to the VPN from an affected device with crafted credentials. A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network. The attacker may obtain privileges that are the same level as an administrative user, depending on the crafted credentials that are used. Cisco has not released software updates that address this vulnerability.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CiscoRv110w Firmware Version1.0.3.55
   CiscoRv110w Version-
CiscoRv110w Firmware Version1.2.2.8
   CiscoRv110w Version-
CiscoRv110w Firmware Version1.3.1.7
   CiscoRv110w Version-
CiscoRv130 Firmware Version1.0.3.55
   CiscoRv130 Version-
CiscoRv130 Firmware Version1.2.2.8
   CiscoRv130 Version-
CiscoRv130 Firmware Version1.3.1.7
   CiscoRv130 Version-
CiscoRv130w Firmware Version1.0.3.55
   CiscoRv130w Version-
CiscoRv130w Firmware Version1.2.2.8
   CiscoRv130w Version-
CiscoRv130w Firmware Version1.3.1.7
   CiscoRv130w Version-
CiscoRv215w Firmware Version1.0.3.55
   CiscoRv215w Version-
CiscoRv215w Firmware Version1.2.2.8
   CiscoRv215w Version-
CiscoRv215w Firmware Version1.3.1.7
   CiscoRv215w Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.06% 0.204
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
psirt@cisco.com 4 2.2 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-303 Incorrect Implementation of Authentication Algorithm

The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.