Cisco has a security update for 14 vulnerabilities in its Small Business RV Series routers, the most critical of which might allow attackers to get unauthenticated remote code execution or run arbitrary commands on the basic Linux operating machine.
“The Cisco PSIRT is aware that proof-of-concept exploit code is available for several of the vulnerabilities that are described in this advisory. Some of the vulnerabilities are dependent on one another. The exploitation of one of the vulnerabilities may be required to exploit another vulnerability,” said Cisco in the accompanying security advisory. Fortunately, the proofs of concepts aren’t public — Cisco (mainly) refers to the exploits used by security researchers to “pwn” the Cisco RV340 router during the Pwn2Own hacking event in November 2021 in Austin, Texas.
Cisco Small Business RV160, RV260, RV340, and RV345 Series routers are affected by the flaws.
They were assigned CVE numbers in order, beginning with CVE-2022-20699 and concluding with CVE-2022-20712. CVE-2022-20749 has been assigned to the last one.
They may provide attackers the ability to:
- Obtain RCE
- Increase their rights to root and allow them to run commands.
- On an affected device, install and boot a malicious software image or run unsigned binaries.
- View or modify data shared between a vulnerable device and certain Cisco servers.
- Obtain access to the device’s web UI by bypassing authentication protections.
- On the underlying operating system, inject and execute arbitrary commands.
As there are no workarounds, it is advised that users install the specified security updates as soon as possible.
While a security upgrade for the RV340 and RV345 Series routers is currently available, one for the RV160 and RV260 Series routers is still in the works and will be published later this month.