Cisco patches critical remote code execution bugs in VPN routers

Updated on: 04 August 2022

Vilius Petkauskas
Deputy Editor

Cisco routers with critical vulnerabilities — Image by Shutterstock.

Cisco released patches to mitigate vulnerabilities, some of which would allow remote code execution (RCE) attacks or cause a denial of service (DoS) in a device.

US tech giant Cisco released patches for critical vulnerabilities affecting its Small Business RV series routers. The flaws affect RV160, RV260, RV340, and RV345 series models and could allow unauthorized remote access.

According to Cisco’s advisory, the vulnerabilities depend on one another for an exploit, meaning a potential attacker would have to use a conjunction of flaws to carry out an attack successfully.

Tracked as CVE-2022-20842, the bug developed due to insufficient validation of user-supplied input to the web-based management interface.

“A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition,” Cisco’s advisory explained.

Another flaw, CVE-2022-20827, stems from insufficient input validation and allows attackers to perform command injection with root privileges. Threat actors could exploit the bug by submitting crafted input to the web filter database update feature.

The third bug Cisco outlined, CVE-2022-20841, comes from insufficient validation of user-supplied input. Attackers could exploit this by sending malicious input to an affected device.

“A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system,” the company said.

While there’s no indication that vulnerabilities were exploited in the wild, Cisco advises customers to upgrade device software. The models of affected devices, necessary updates and releases are specified in the company’s advisory.