Cisco has patched multiple critical security vulnerabilities impacting its RV Series routers that could be weaponized to elevate privileges and execute arbitrary code on affected systems, while also warning of the existence of proof-of-concept (PoC) exploit code targeting some of these bugs.
Three of the 15 flaws, tracked as CVE-2022-20699, CVE-2022-20700, and CVE-2022-20707, carry the highest CVSS rating of 10.0, and affect its Small Business RV160, RV260, RV340, and RV345 Series routers.
Additionally, the flaws could be exploited to bypass authentication and authorization protections, retrieve and run unsigned software, and even cause denial-of-service (DoS) conditions.
The networking equipment maker acknowledged that it’s “aware that proof-of-concept exploit code is available for several of the vulnerabilities” but didn’t share any further specifics on the nature of the exploit or the identity of the threat actors that may be exploiting them.
CVE-2022-20699 concerns a case of remote code execution that could be exploited by an attacker by sending specially crafted HTTP requests to a device that functions as an SSL VPN Gateway, effectively leading to the execution of malicious code with root privileges.
CVE-2022-20700, CVE-2022-20701 (CVSS score: 9.0), and CVE-2022-20702 (CVSS score: 6.0), which the company said stems from an insufficient authorization enforcement mechanism, could be abused to elevate privileges to root and execute arbitrary commands on the affected system.
CVE-2022-20708, the third flaw to receive a 10.0 score on the CVSS scale, is due to insufficient validation of user-supplied input, enabling the adversary to inject malicious commands and get them on the underlying Linux operating system.
Other flaws fixed by Cisco are as follows:
- CVE-2022-20703 (CVSS score: 9.3) – Cisco Small Business RV Series Routers Digital Signature Verification Bypass Vulnerability
- CVE-2022-20704 (CVSS score: 4.8) – Cisco Small Business RV Series Routers SSL Certificate Validation Vulnerability
- CVE-2022-20705 (CVSS score: 5.3) – Cisco Small Business RV Series Routers Improper Session Management Vulnerability
- CVE-2022-20706 (CVSS score: 8.3) – Cisco RV Series Routers Open Plug and Play Command Injection Vulnerability
- CVE-2022-20707 and CVE-2022-20749 (CVSS scores: 7.3) – Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Command Injection Vulnerabilities
- CVE-2022-20709 (CVSS score: 5.3) – Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability
- CVE-2022-20710 (CVSS score: 5.3) – Cisco Small Business RV Series Routers GUI Denial of Service Vulnerability
- CVE-2022-20711 (CVSS score: 8.2) – Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Overwrite Vulnerability
- CVE-2022-20712 (CVSS score: 7.3) – Cisco Small Business RV Series Routers Upload Module Remote Code Execution Vulnerability
Cisco also stressed that there are no workarounds that address these aforementioned weaknesses, urging customers to update to the latest version of the software as soon as possible to counter any potential attacks.
You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
- UK bans Chinese CCTV cameras at ‘sensitive’ government locations - 26 November 2022
- Chrome Update: Exploited Zero-Day Vulnerability fixed by Google, the 8th this year - 25 November 2022
- RESEARCH: analytics information related to iPhones include a Directory Services Identifier (DSID) that may be used to identify users - 24 November 2022