Cisco has revealed four of its small business router ranges have critical flaws – for the second time in 2022 alone.
A Wednesday advisory warns owners of the RV160, RV260, RV340, and RV345 Series Routers that the vulnerabilities could allow “an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device.”
The four ranges were whacked with three 10/10 bugs in February 2022.
This time around the worst of the bugs – CVE-2022-20842 – is rated 9.8/10 on the Common Vulnerability Scoring System (CVSS).
Exploitation of one vulnerability may be required to exploit another
Cisco says a vulnerability in the web-based management interface of the RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow execution of arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service condition. “This vulnerability is due to insufficient validation of user-supplied input to the web-based management interface,” Cisco states.
CVE-2022-20827 is rated 9/10 and applies to all four of the abovementioned router ranges.
Cisco describes the flaw as “A vulnerability in the web filter database” that “could allow an unauthenticated, remote attacker to perform a command injection and execute commands on the underlying operating system with root privileges.
“This vulnerability is due to insufficient input validation,” Cisco adds, and means an attacker submitting crafted input to the web filter database update feature and then execute commands on the underlying operating system