CVE-2023-20118

Warning

EPSS 2.03%
Published 13.04.2023 07:15:21
Last modified 02.04.2025 20:31:59
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device.

 This vulnerability is due to improper validation of user input within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to gain root-level privileges and access unauthorized data. To exploit this vulnerability, an attacker would need to have valid administrative credentials on the affected device.

 Cisco has not and will not release software updates that address this vulnerability.   However, administrators may disable the affected feature as described in the Workarounds ["#workarounds"] section.

  {{value}} ["%7b%7bvalue%7d%7d"])}]]

Affected products Warnungen 1 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Rv016 Firmware

Cisco ≫ Rv016 Version-

Cisco ≫ Rv042 Firmware

Cisco ≫ Rv042 Version-

Cisco ≫ Rv042g Firmware

Cisco ≫ Rv042g Version-

Cisco ≫ Rv082 Firmware

Cisco ≫ Rv082 Version-

Cisco ≫ Rv320 Firmware

Cisco ≫ Rv320 Version-

Cisco ≫ Rv325 Firmware

Cisco ≫ Rv325 Version-

03.03.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Cisco Small Business RV Series Routers Command Injection Vulnerability

Vulnerability

Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an authenticated, remote attacker to gain root-level privileges and access unauthorized data.

Description

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.03%	0.831

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
psirt@cisco.com	6.5	1.2	5.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2023-20118

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-20118

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-20118

EUVD