Cisco Patches 2 Critical RCE Vulnerabilities Impacting VPN routers

August 4, 2022

Cisco Patches 2 Critical RCE Vulnerabilities Impacting VPN routers

Cisco has patched critical security vulnerabilities that allowed unauthenticated remote attackers to execute arbitrary code or commands and cause denial of service (DoS) conditions on vulnerable devices.

The vulnerabilities were discovered in the web-based management interfaces and the web filter database update feature, and are both caused by insufficient input validation.

The Vulnerabilities

  • CVE-2022-20842 (CVSS score: 9.8) -Cisco Small Business RV Series Routers Remote Code Execution and Denial of Service Vulnerability
  • CVE-2022-20827 (CVSS score: 9.0) – Cisco Small Business RV Series Routers Web Filter Database Update Command Injection Vulnerability.

Affected Products

  • RV340 and RV345 Series Routers 1.0.03.26 and earlier
  • RV160 and RV260 Series Routers Earlier than 1.0.01.05
  • RV160 and RV260 Series Routers 1.0.01.05
  • RV340 and RV345 Series Routers Earlier than 1.0.03.26
  • RV340 and RV345 Series Routers 1.0.03.26

Mitigation

CYREBRO recommends updating Cisco VPN routers to an appropriate fixed software release.

References: Cisco Advisory.

Sign Up for Updates