Cisco releases Critical advisory for Small Business RV routers

Cisco has released a Critical security update for multiple vulnerabilities in Small Business RV Routers.  The most severe of the Critical vulnerabilities has a CVSS score of 9.8.

An attacker could remotely exploit some of these vulnerabilities to take control of an impacted system.

In all, the Cisco advisory addressed three vulnerabilities (along with CVSS score):

  • CVE-2022-20842: Cisco Small Business RV Series Routers Remote Code Execution and Denial of Service Vulnerability (CVSS 9.8)
  • CVE-2022-20827: Cisco Small Business RV Series Routers Web Filter Database Update Command Injection Vulnerability (CVSS 9.1)
  • CVE-2022-20841: Cisco Small Business RV Series Routers Open Plug and Play Command Injection Vulnerability.

The most severe issue CVE-2022-20842 affects the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers.

As a result, Cisco warned that an unauthenticated, remote attacker could execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.

Moreover, Cisco confirmed each of the vulnerabilities are dependent on one another and “exploitation of one of the vulnerabilities may be required to exploit another vulnerability.”

Readers can check out the Cisco Security Advisories site for the latest updates for multiple Cisco products, last updated August 3, 2022.